(12) INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(19) World Intellectual Property 
Organization 

International Bureau 

(43) International Publication Date 
17 June 2004(17.06,2004) 




PCT 



(10) International Publication Number 

WO 2004/051964 A2 



(51) International Patent Classification 7 : H04L 29/06 

(21) International Application Number: 

K;i7US2l)o;S/038527 

(22) International Filing Date: 3 December 2003 (03. 12.2003) 

(25) Filing Language: English 

(26) Publication Language: English 
(30) Priority Data: 



60/430.398 



3 December 2002 (03.12.2002) US 



(71) Applicant: FUNK SOFTWARE, INC. |liS/US|; 222 
Third Slrcei. Cambrige, MA 02142 (US). 

(72) Inventor: FUNK, Paul; 4\\ Linnaean Street. Cambridge, 
MA 0213S (US'). 

(74) Agent: MCLOUGIILIN, Daniel, P.; Wolf. Greenfield & 
Sacks. P.C, 600 Atlantic Avenue, Huston. MA 022101 US). 



(81 ) Designated States (national): AE, AG, AL, AM. AT, AU, 
A/. BA, BIL HG, BR, BY, HZ. CA. CM, CN, CO. CR, CU, 
C:/. DE. DK. DM. DZ, EC. EE. ES. El, GB. OD, GE, GIL 
GM. UK, IIU. ID. IL. IN, IS, J P. KE. KG, KP. KR, KZ, LC, 
LK, LR. LS, LT, LU, LV, MA. MD, MG. MK. MN, MW, 
MX. MZ, NI, NO. NZ, OM. PG, PI I, PL. PT, RO, RU, SC, 
SIX SE, SO, SK, SL, SY 5 TJ, TM, TN, TR, IT, TZ, UA, 
UG, UZ, VC, VN, YU, ZA, ZW. 

(84) Designated States (regional): ARIPO patent (BW, GH t 
GM, KR, LS, MW, MZ, SIX SL. SZ T TZ, UG, ZM, ZW), 
Eurasian patent (AM, AZ. BY, KG T KZ. MD, RU, TJ,TM), 
European patent (AT, BE, BO, CM, CY, CZ, DE, DK, EE, 
l:S, El, 1-R.GB, GR, Ml), Hi, IT, LU. MC. NL, PT, RO, SB, 
SI, SK, TR), OAPl patent (Bl- BJ, CP, CCj, CI, CM, OA, 
ON. GQ. GW, ML. MR. NE. SN.TIX TO). 

Published: 

w ithout international search report ami to he republished 
up* m receipt of that report 

/ 'or two letter codes and other abbreviations, refer to the "Guid- 
ance Notes on Codes and Abbreviations " appearing at the begin- 
ning of each regular issue of the PCT Gazette. 



(54) Title: TUNNELED AUTHENTICATION PROTOCOL FOR PREVENTING MAN-IN- I I IE MIDDLE ATTACKS 



< 

ON 
r-H 

m 

o 
n 
O 




(57) Abstract: Systems and methods lor preventing n Man in- the Middle attack on a communications network, without combining 
encryption keys of an inner authentication protocol and a tunneling protocol encapsulating the inner authentication protocol. The 
performance of a hash function may be split between two network devices on the communications network. I or example, in response 
to a challenge issued by ;» tunnel serve?, a client ma\ uniiatc performance uf a hash function using only ;i fust part only of the chal- 
lenge and generate an intermediate result ol the hash function (i.e.. ;i preliminary hash). The client iheu may transmit the preliminary 
hash to the tunnel server as pun of a response to the challenge. The tunnel server then may complete the hash function using the 
preliminary hash and the remaining part of the challenge to produce a final hash. The final hash ihen may be used to authenticate a 
user. 
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TUNNELED AUTHENTICATION PROTOCOL FOR 
PREVENTING MAN-IN THE-MIDDLE ATTACKS 

BACKGROUND 

5 Communications networks (e.g., the Internet) continue to have a growing role in today's 

world. As used herein, a "network 55 or a communications network" is a group of two or more 
devices interconnected by one or more segments of transmission media on which communications 
may be exchanged between the devices. Each segment may be any of a plurality of types of 
transmission media, including one or more electrical or optical wires or cables made of metal 

10 and/or optical fiber, electromagnetic (e.g., wireless) transmission or any combination of these 

transmission media. As used herein, "plurality 55 means two or more. As used herein, a "network 
device" is a device operative to communicate on a network, including, but not limited to: 
workstations, personal computers, terminals, laptop computers, end stations, servers, gateways, 
registers, switches, routers, hubs, bridges, directories, transmitters, receivers, repeaters, and any 

15 combinations thereof. As used herein, whether in the written description or the claims, the terms 
"comprising", "including", "carrying", "having", "containing", "involving 55 , and the like are to be 
understood to be open-ended, i.e., to mean including but not limited to. Only the transitional 
phrases "consisting of and "consisting essentially of 5 , respectively, shall be closed or semi- 
closed transitional phrases, as set forth, with respect to claims, in the United States Patent and 

20 Trademark Office Manual of Patent Examining Procedures (Original Eighth Edition, August 
2001), Section 21 11.03. 

As the roles of networks continue to expand, network security becomes increasingly 
critical. A common form of network security is user authentication, in which users must 
authenticate their identities to a network before being allowed access to the network or certain 

25 network resources available on the network. As used herein, an "authentication protocol" is a 
protocol (i.e., a set of rules and procedures) for authenticating a user to a network. A common 
form of user authentication is password-based authentication, in which an authentication server 
issues a challenge to the user (e.g., prompts the user for user credentials), and the user responds 
with user-authenticating information (e.g., credentials such as a username and password). 

30 Typically, the user-authenticating information as supplied by the user is encrypted. As used 
herein, an "authentication server" is a logical entity residing on a network device, which is 
operative to authenticate a user for access to a network. As used herein, a "challenge" is 
information transmitted from a first network device to a second network device, as part of an 
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authentication process, prompting the second network device to issue a response (e.g., including 
one or more user credentials) to be authenticated. 

Most password-based authentication protocols are inherently of low security due to the 
fact that passwords are typically of low entropy. Such protocols are susceptible to "dictionary" 
5 (i.e., password-guessing) attacks mounted by an eavesdropping attacker. Such password-based 
authentication protocols include Challenge Handshake Authentication Protocol (CHAP), 
Extensible Authentication Protocol-Message Digest 5 Challenge (EAP-MD 5 Challenge or 
MDC), Microsoft's MS CHAP and EAP-GenericTokenCard. Other authentication protocols use 
more secure encryption techniques that involve the use of encryption keys. Such authentication 

10 protocols include Extensible Authentication Protocol GSM Subscriber Identity Module (SIM). 

To further secure communications between two network devices, tunneling protocols have 
been developed. As used herein, a network "tunnel" is a secure transmission path established 
across one or more networks between a first network device and a second network device, such 
that the first and second network devices can exchange communications along the path, and the 

15 contents thereof (except for information necessary for proper switching and routing) is secured 
against ascertainment by any entity except the first and second network devices. "Tunneling" 
refers to the establishing and maintaining of a tunnel, and the transmission of communications 
within a tunnel. A "tunneling protocol" is a protocol for implementing a tunnel. A common 
example of the use of a tunnel is to establish a Virtual Private Network (VPN) across a public 

20 network (e.g., the Internet) between a user device and a remote access server, for example, a 
Remote Authentication Dial-In User Service (RADI US) server, of a private network such as a 
corporate Local Area Network (LAN). 

Tunneling protocols use more sophisticated encryption techniques and typically use 
public/private key cryptography to establish encryption keys that allow subsequent transmissions 

25 to be secure against eavesdroppers Typically, at least one of the network devices that terminate 
(i.e., serve as an endpoint for) the tunnel certifies its identity to the other network device using a 
certificate or other credentials; both devices may separately authenticate. After the identities of 
one or both of the network devices is certified (such that each certified device is "trusted" by the 
other device), the tunnel is created and secure communications are exchanged within the tunnel 

30 between the two network devices. There are a variety of tunneling protocols, including 

Extensible Authentication Protocol funnel Transport Layer Security (EAP-TTLS or TTLS) and 
Extensible Authentication Protocol-Protected Extensible Authentication Protocol (EAP-PEAP or 



WO 2004/051 964 



PCT/US2003/038527 



-3- 

PEAP). TILS and PEAP both are based on tunnels created via Transport Layer Security (TLS) 
technology, which was formerly known as Secure Sockets Layer (SSL). An authentication 
protocol may be encapsulated within a tunnel established by a tunneling protocol, in order to 
secure the authentication protocol against eavesdropping attacks. As used herein, an "inner 

5 protocol" or "tunneled protocol" means an authentication protocol transmitting and/or receiving 
communications within a tunnel provided by a tunneling protocol. 

Fig. 1 is a block and information flow diagram illustrating an example of a known system 
100 for encapsulating inner protocol communications within a tunnel provided by a tunneling 
protocol. System 100 includes client 102 and tunnel server 1 12. 

10 As used herein, a "client" is a logical entity associated with a user, residing on a network 

device, serving as an endpoinl to a tunnel and operative to generate and transmit a response to a 
challenge on behalf of the user. The network device on which the client resides may be used by 
the user to access a network, for example, by communicating with a remote access server of the 
network. The network device on which the client resides may be a user device, for example, a 

15 workstation, terminal, personal computer, laptop computer, telephone, pager, BlackBerry™ brand 
device, personal digital assistant (PDA), or any combination thereof or other device that can 
provide client functionality. As used herein, a "tunnel server" is a logical entity, residing on a 
network device different than the network device on which the client resides, serving as an 
endpoint to a tunnel and operative to generate and transmit a challenge. 

20 Tunnel server 1 12 issues a challenge 108 in accordance with an inner protocol to client 

102. In response, a hash generator 104 of client 102 generates a response 1 10 to the challenge 
and the client transmits the response 1 10 to tunnel server 112. Tunnel server 1 12 and client 102 
serve as endpoints (i.e., terminals) for a tunnel 106 that encapsulates communications (e.g., 
challenge 108 and response 1 10) between the client 102 and tunnel server 1 12. The inner 

25 protocol may be any suitable protocol such as (but not limited to) any of a variety of legacy 

authentication protocols, for example, an MD5-based authentication protocol, such as CHAP or 
MDC. As used herein, a "MD5-based protocol" is an authentication protocol that uses an MD5 
algorithm or variation thereof to exchange information, and an N4D5-bascd hash function is an 
MD5 hash function or variant thereof. 

30 Fig. 2 is a flowchart illustrating an example of a known method 200 of authenticating a 

user according to an MD5 algorithm. 
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In Act 202, an MD5 challenge is generated for the user. Such challenge may be generated 
on an authentication server (e.g., 126) or on an intermediate server, for example, a tunnel server 
'(e.g., 1 12) between the client (e.g., 102) and authentication server. Such challenge may be a 
random challenge of variable length. 

5 In Act 204, a first communication is transmitted to the client, the first communication 

including the MD5 challenge. Such communication may be transmitted directly from the 
authentication server or through an intermediate server. 

In a following Act 206, the following information is concatenated in the following order: 
the MD5 authentication protocol identifier, the user's password, the MD5 challenge, a single octet 

10 of hexadecimal value 80, padding octets and eights octets indicating a message length to produce 
an MD5 hash function input sequence. The number of padding octets is configured such that the 
length of the MD5 hash function input sequence is a multiple of 64 octets. The "message" is the 
concatenation of the authentication protocol identifier, the user's password and the MD5 
challenge, such that the message length indicates the length of this concatenation. 

15 In Act 208, an MD5 hash value (i.e., message digest or hash) is generated using MD5 hash 

function input sequence, for example, as illustrated in Fig. 3. A hash value is a number generated 
from a string of information (e.g., text, a number, or a combination thereof). Typically, a hash 
value is substantially smaller than the string of information from which it was generated. Hash 
functions (e.g., an M.D5 hash function) are designed such that it is extremely unlikely that any two 

20 strings of information (i.e., the hash function input sequence) input to the hash function produce 
the same hash value. 

Fig. 3 is an information flow diagram illustrating a known method of generating an MD5 
hash value 318 from an MD5 hash function input sequence 302. The hash function input 
sequence 302 includes the message 3 1 0 and the appendage 3 1 7. The message 3 1 0 includes the 

25 MD5 protocol identifier 304 ; user's password 306 and MD5 challenge 308. The appendage 
includes hex 80 octet 3 1 2, padding octets 3 14 and eight-octet message length field 3 1 6. The 
value of message length field 316 indicates the length of message 310. 

The MD5 hash function input sequence 302 is input to the hash generator 1 04 to produce 
MD5 hash value 318. The elements of input sequence 302, namely components 304, 306, 308, 

30 312, 314 and 316 are received by the hash generator in the order shown in Fig. 3, starting with 
304 and proceeding in ascending order. 
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MD5 is an iterative algorithm that applies a hash function repeatedly to successive 64- 
octet blocks of input sequence data until the entire input sequence has been hashed. The message 
included within the input sequence may be of any length, and the MD5 appendage is configured 
such that the total input sequence length is a multiple of 64 octets. Each iteration of the MD5 
5 algorithm applies the hash function to two parameters: a 16-octet vector, and a 64-octet segment 
from the input sequence. If f (x,y) is the hash function, V [n] is an nth 16-octet vector, and M [n] 
is an nth 64-octet message block, than V(0) = I, which is a fixed initialization vector defined for 
MD5, and V [n +1] = f (V [n], M [n]). The final output of the MD5 algorithm is a 16-octet vector 
defined as V(N), where N is the number of 64-octet blocks included in the function input 

10 sequence. Accordingly, referring to Fig. 3, MD5 hash value 318 is a 16-octet vector, V(N). 

Returning to Fig. 2, in Act 2 10, a second communication is transmitted from the client to 
the tunnel server, the second communication including the generated MD5 hash value in response 
to the challenge, for example. MD5 hash value 3 1 8. In a final Act 2 1 2 of method 200, the user is 
authenticated based on the MD5 hash value, for example, by an authentication server. 

15 Recent cryptographic analysis has revealed that, while tunneling protocols generally 

provide more secure communications across a network than authentication protocols, they 
introduce a new vulnerability in certain circumstances. Because these tunneling protocols do not 
cryptograph ically combine their encryption keys with encryption keys derived from the inner 
protocols that they encapsulate, it is possible for an attacker to effect the following attack, called a 

20 Man-in-the-Middle (MiM) attack. The attacker poses as an authentication server and dupes a 
client to use a password-based authentication protocol outside of a tunnel (i.e., in untunneled 
mode) to exchange protocol payloads with the attacker. Then, posing as the client, the attacker 
establishes communication with a tunnel server and establishes a tunnel. In response to the tunnel 
server's challenge, the client responds with a protocol payload (e.g., the response) gained from the 

25 client. The transmission of the protocol payload is encapsulated within the tunnel. Thus, the 

attacker authenticates to the server as if the attacker were the actual user. In order for such a MiM 
attack to be feasible, the following conditions must be met: (1) the user must use the same legacy 
authentication protocol both in tunneled and untunneled modes, (2) the user must use the same 
credentials (e.g., username and password) in both tunneled and untunneled modes, and (3) the 

30 attacker must be able to pose as an authentication server on the network on which the user uses 
the legacy protocol in untunneled mode. 
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Referring to Fig. 1, consider the example when the client 1 02 attempts to establish a 
session with an authentication server 126 across a wireless communication medium. The attacker 
118 poses as the authentication server 126 and intercepts communications from the client 102. 
The attacker then issues a challenge 1 14 to the client in accordance with a legacy authentication 
5 protocol and outside of a tunnel (i.e., in untunneled mode), and the client 102 responds, outside of 
a tunnel, with a response 1 16 in accordance with the legacy authentication protocol. The attacker 
1 1 8 records the response 116. The attacker 1 1 8 then initiates a session with another server using 
the same legacy authentication protocol, but inside of a tunnel. For example, attacker 1 1 8 
initiates a session with tunnel server 1 12 or another server for which tunnel server 1 12 serves as 

10 an intermediate server for communication with attacker 1 J 8. In either event, the tunnel server 1 12 
and the attacker 1 1 8 serve as terminals or endpoints for a tunnel 1 20. If the client 1 02 is 
configured to use the same legacy authentication protocol and use the same credentials within 
tunnel 120 as were used to generate response 1 16 outside of the tunnel 120, then, in response to 
challenge 124 (which is the same as challenge 1 14, albeit encapsulated within tunnel 120), 

15 attacker 1 18 responds with response 122 (which is the same as response 1 16, albeit encapsulated 
in tunnel 120). The tunnel server 1 12 or the authentication server then authenticates the user 
credentials within the response 122 and confirms that attacker 1 18 is client 102, allowing great 
mischief to follow. 

The Internet Engineering 1 ask Force (IETF) EAP working group is studying means to 
20 preclude the MiM attack. The current general opinion of that group is that the MiM attack only 
can be prevented if the inner protocol is capable of generating its own encryption keys. This 
opinion implies that tunneling protocols such as TTLS and PEAP can be made safe against the 
MiM attack for inner protocols that can generate encryption keys such as MS CHAP and SIM, but 
not for inner protocols such as CHAP, MDC or GenericTokenCard. 

25 

SUMMARY 

In an embodiment of the invention, a user is at least partially authenticated on a 
communications network. A first communication is transmitted from a first network device to a 
second network device, wherein the first communication includes a challenge. In response to 
30 receiving the challenge, a preliminary hash value is generated by performing only part of a hash 
function on a first part of the challenge, wherein the first part is less than the complete challenge. 
A second communication is transmitted from the second network device to the first network 
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device, the second communication including the preliminary hash value. Performance of the hash 
function is completed on the first network device to produce a final hash value. 

In an aspect of this embodiment, only part of a Message Digest 5-based encryption 
function is performed. 

5 In another aspect of this embodiment, a standard Message Digest 5 algorithm includes 

adding an appendage of information to information to be communicated to produce padded 
information that has a length that is a multiple of sixty-four octets, and includes inputting the 
padded information to a standard Message Digest 5 function. An input sequence to the Message 
Digest 5-based encryption function is generated by concatenating information to be 

] 0 communicated from the second network device to the first network device. The input sequence is 
input into the Message Digest 5-based encryption function without previously adding an 
appendage of information to the input sequence. 

In another aspect of this embodiment, the complete performance of the hash function 
involves performing a first number of iterations, generating the preliminary hash value includes 

15 performing a second number of iterations less than the first number of iterations and completing 
the hash function includes performing a third number of iterations equal to the first number minus 
the 'second number, resulting in a complete performance of the hash function. 

In yet another aspect of this embodiment, completing the hash function includes 
completing the hash function using a second part of the challenge, wherein the first part and the 

20 second part form the complete challenge. 

In another aspect of this embodiment, generating the preliminary hash value includes 
generating the preliminary hash value based, at least in part, on the first part of the challenge and 
a user credential. 

In another aspect of this embodiment, generating the preliminary hash value includes 
25 dividing the challenge into the first pan and a second part, and the method further includes. The 
second communication is configured to include an indication of a length in bits of the user 
credential. Completing the hash function includes completing the hash function based, at least in 
part, on the second part of the challenge and the length of the user credential. 

In yet another aspect of this embodiment, completing the hash function includes: 
30 determining a state of the hash function based, at least in part, on the length of the user credential; 
and completing the hash function based, at least in part, on the determined state. 
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determining a length of the second part based, at least in part, on a length of the challenge and the 
length of the user credential, and completing the hash function based, at least in part, on the 
determined length of the second part. 
5 In another aspect of this embodiment, the challenge is generated on the first network 

device, including generating a portion of the challenge having a length equal to a desired amount 
of entropy for the challenge, and appending bits to the portion of the challenge to produce the 
challenge. 

In yet another aspect of this embodiment, generating the challenge includes appending 
10 sixty-three bits to the portion. 

In another aspect of this embodiment, the challenge includes a plurality of sequences of 
bits. The challenge is generated on the first network device, including configuring one or more of 
the plurality of sequences (e.g., octets) to include at least one non-zero bit. 

In another aspect of this embodiment, the challenge is generated on the first network 
15 device, including configuring the challenge to include at least a minimum number of octets of 
bits. 

In yet another aspect of this embodiment, generating the preliminary hash value includes:. 
(1) determining a length of a concatenation of an authentication protocol identifier, a user 
credential and the challenge; and (2) dividing the challenge into the first part and a second part 
20 based on the determined length. 

In another aspect of this embodiment, the user is authenticated based on the final hash 

value. 

In another aspect of this embodiment, a third communication including the final hash 
value is transmitted to a third network device configured to authenticate the user. 
25 In yet another aspect of this embodiment, the first communication is transmitted within a 

tunnel between the first network device and the second network device. 

In another embodiment of the invention, a computer program is used to control a computer 
to perform the method of the embodiment described in the preceding paragraphs. 

In another embodiment of the invention, a computer-readable medium is provided that 
30 stores computer-readable signals defining instructions that, as a result of being executed by a 

computer, instruct the computer to perform the above method of the embodiment described in the 
preceding paragraphs. 
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In yet another embodiment of the invention, a system is provided for at least partially 
authenticating a user on a communications network. The system includes a first communication 
device operative to transmit a first communication from a first network device to a second 
network device, wherein the first communication includes a challenge. The system further 

5 includes a second network device, operative to receive the challenge, generate a preliminary hash 
value by performing only part of a hash function on a first part of the challenge, wherein the first 
part is less than the complete challenge, and to transmit a second communication from the second 
network device to the first network device, the second communication including the preliminary 
hash value. The first network device is operative to complete performance of the hash function to 

10 produce a final hash value. 

In an aspect of this embodiment, the second network device is operative to perform only 
part of a Message Digest 5-based encryption function. 

In another aspect of this embodiment, a standard Message Digest 5 algorithm includes 
adding an appendage of information to information to be communicated to produce padded 

15 information that has a length that is a multiple of sixty-four octets, and includes inputting the 
padded information to a standard Message Digest 5 function. The second network device is 
operative to generate an input sequence to the Message Digest 5-based encryption function by 
concatenating information to be communicated from the second network device to the first 
network device, and to input the input sequence into the Message Digest 5-based encryption 

20 function without previously adding an appendage of information to the input sequence. 

In another aspect of this embodiment, the complete performance of the hash function 
involves performing a first number of iterations, and the second network device is operative to 
perform a second number of iterations less than the first number of iterations. The first network 
device is operative to perform a third number of iterations equal to the first number minus the 

25 second number, resulting in a complete performance of the hash function. 

In another aspect of this embodiment, the first network device is operative to complete the 
hash function using a second part of the challenge, wherein the first part and the second part form 
the complete challenge. 

In yet another aspect of this embodiment, the first network device is operative to generate 

30 the preliminary hash value based, at least in part, on the first part of the challenge and a user 
credential. 
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In another aspect of this embodiment, the second network device is operative to divide the 
challenge into the first part and a second part, and to configure the second communication to 
include an indication of a length in bits of the user credential. The first network device is 
operative to complete the hash function based, at least in part, on the second part of the challenge 
5 and the length of the user credential. 

In another aspect of this embodiment, the first network device is operative to determine a 
state of the hash function based, at least in part, on the length of the user credential, and to 
complete the hash function based, at least in part, on the determined length. 

In yet another aspect of this embodiment, the first network device is operative to 
10 determine a length of the second part based, at least in part, on a length of the challenge and the 
length of the user credential, and to complete the hash function based, at least in part, on the 
determined length of the second part. 

In another aspect of this embodiment, the first network device is operative to generate the 
challenge on the first network device, including generating a portion of the challenge having a 
15 length equal to a desired amount of entropy for the challenge, and to append bits to the portion of 
the challenge to produce the challenge. 

In another aspect of this embodiment, the first network device is operative to append sixty- 
three bits to the portion. 

In another aspect of this embodiment, challenge includes a plurality of sequences (e.g., 
20 octets) of bits, and the first network device is operative to generate the challenge on the first 

network device, including configuring one or more of the plurality of sequences to include at least 
one non-zero bit. 

In another aspect of this embodiment, the first network device is operat ive to generate the 
challenge on the first network device, including configuring the challenge to include at least a 
25 minimum length of bits. 

In yet another aspect of this embodiment, the second network device is operative to 
determine a length of a concatenation of an authentication protocol identifier, a user credential 
and the challenge, and to divide the challenge into the first part and a second part based on the 
determined length. 

30 In another aspect of this embodiment, the first network device is operative to authenticate 

the user based on the final hash value. 
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In another aspect of this embodiment, the first network device is operative to transmit a 
third communication including the final hash value to a third network device configured to 
authenticate the user. 

In another aspect of this embodiment, the first network device is operative to transmit the 
5 first communication within a tunnel between the first network device and the second network 
device. 

In another aspect of this embodiment, the second communication device is operative to 
transmit the second communication with a tunnel between the first device and the second device. 
In another embodiment of the invention, a system is provided for at least partially 

10 authenticating a user on a communications network. The system includes a first communication 
device operative to transmit a first communication from a first network device to a second 
network device, wherein the first communication includes a challenge. The system further 
includes a second network device operative to receive the challenge and transmit a second 
communication from the second network device to the first network device, the second 

15 communication including a preliminary hash value The second network device includes means 
for generating a preliminary hash value by performing only part of a hash function on a first part 
of the challenge, wherein the first part is less than the complete challenge. Further, the first 
network device includes means for completing performance of the hash function to produce a 
final hash value. 

20 In an aspect of this embodiment, the second network device includes means for 

performing only part of a Message Digest 5-based encryption function. 

In another aspect of this embodiment, a standard Message Digest 5 algorithm includes 
adding an appendage of information to information to be communicated to produce padded 
information that has a length that is a multiple of sixty-four octets, and includes inputting the 

25 padded information to a standard Message Digest 5 function. The second network device 
includes means for generating an input sequence to the Message Digest 5-based encryption 
function by concatenating information to be communicated from the second network device to the 
first network device, and includes means for inputting the input sequence into the Message Digest 
5-based encryption function without previously adding an appendage of information to the input 

30 sequence. 

Jn another aspect of this embodiment, the complete performance of the hash function 
involves performing a first number of iterations, and the second network device includes means 
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for performing a second number of iterations less than the first number of iterations, and wherein 
the first network device includes means for performing a third number of iterations equal to the 
first number minus the second number, resulting in a complete performance of the hash function. 

In another aspect of this embodiment, the first network device includes means for 
5 completing the hash function using a second part of the challenge, wherein the first part and the 
second part form the complete challenge. 

In another aspect of this embodiment, the first network device includes means for 
generating the preliminary hash value based, at least in part, on the first part of the challenge and 
a user credential. 

10 In yet another aspect of this embodiment, the second network device includes means for 

dividing the challenge into the first part and a second part, and for configuring the second 
communication to include an indication of a length in bits of the user credential. In this aspect, 
the first network device includes means for completing the hash function based, at least in part, on 
the second part of the challenge and the length of the user credential, 

15 In another aspect of this embodiment, the first network device includes means for 

determining a state of the hash function based, at least in part, on the length of the user credential, 
and for completing the hash function based, at least in part, on the determined length. 

In another aspect of this embodiment, the first network device includes means for 
determining a length of the second part based, at least in part, on a length of the challenge and the 

20 length of the user credential, and for completing the hash function based, at least in part, on the 
determined length of the second part. 

In another aspect of this embodiment, the first network device includes means for 
generating the challenge on the first network device, including means for generating a portion of 
the challenge having a length equal to a desired amount of entropy for the challenge, and means 

25 for appending bits to the portion of the challenge to produce the challenge. 

In another aspect of this embodiment, the first network device includes means for 
appending sixty-three bits to the portion. 

In yet another aspect of this embodiment, the challenge includes a plurality of sequences 
(e.g., octets) of bits, and the first network device includes means for generating the challenge on 

30 the first network device, including means for configuring one or more of the plurality of 
sequences to include ai least one non-zero bit. 
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In another aspect of this embodiment, the first network device includes means for 
generating the challenge on the first network device, including means for configuring the 
challenge to include at least a minimum length of bits. 

In another aspect of this embodiment, the second network device includes means for 
5 determining a length of a concatenation of an authentication protocol identifier, a user credential 
and the challenge, and means for dividing the challenge into the first part and a second part based 
on the determined length. 

In another aspect of this embodiment, the first network device includes means for 
authenticating the user based on the final hash value. 
10 In another aspect of this embodiment, the first network device includes means for 

transmitting a third communication including the final hash value to a third network device 
configured to authenticate the user. 

In another aspect of this embodiment, the first network device includes means for 
transmitting the first communication within a tunnel between the first network device and the 
1 5 second network device. 

In another aspect of this embodiment, the second communication device includes means 
for transmitting the second communication with a tunnel between the first device and the second 
device. 

In an embodiment of the invention, a user is at least partially authenticated on a 
20 communications network. A first communication is transmitted from a first network device to a 
second network device, wherein the first communication includes a challenge. A second 
communication is received from the second network device to the first network device, the second 
communication including a preliminary hash value resulting from performance of only part of a 
hash function on a first part of the challenge, wherein the first part is less than the complete 
25 challenge. Performance of the hash function is completed on the first network device to produce a 
final hash value. 

In an aspect of this embodiment, the preliminary hash value is a result of partial 
performance of an Message Digest 5-based encryption function on the first part of the challenge, 
and completing the hash function includes completing the Message Digest 5-based encryption 
30 function. 

In another aspect of this embodiment the complete performance of the hash function 
involves performing a first number of iterations, and wherein the preliminary hash value resulted 
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from performance of a second number of iterations less than the first number of iterations. In this 
aspect, completing the hash function includes performing a third number of iterations equal to the 
first number minus the second number, resulting in a complete performance of the hash function. 

In another aspect of this embodiment, completing the hash function includes completing 
5 the hash function using a second pari of the challenge, wherein the first part and the second part 
form the complete challenge. 

In yet another aspect of this embodiment, the challenge includes two parts: the first part 
and a second part, and the preliminary hash value is based, at least in part, on the first part of the 
challenge and a user credential. The second communication includes an indication of a length in 
10 bits of the user credential. In this aspect, completing the hash function includes completing the 
hash function based, at least in part, on the second part of the challenge and the length of the user 
credential. 

In another aspect of this embodiment, completing the hash function includes: (1) 
determining a state of the hash function based, at least in part, on the length of the user credential; 

15 and (2) completing the hash function based, at least in part, on the determined state. 

In another aspect of this embodiment, completing the hash function includes: (1) 
determining a length of the second part based, at least in part, on a length of the challenge and the 
length of the user credential; and (2) completing the hash function based, at least in part, on the 
determined length of the second part . 

20 In another aspect of this embodiment, the challenge is generated on the first network 

device, including generating a portion of the challenge having a length equal to a desired amount 
of entropy for the challenge, and appending bits to the portion of the challenge to produce the 
challenge. 

In another aspect of this embodiment, generating the challenge includes appending sixty- 
25 three bits to the challenge. 

In yet another aspect of this embodiment, the challenge includes a plurality of sequences 
(e.g., octets) of bits. The challenge is generated on the first network device, including configuring 
one or more of the plurality of sequences to include at least one non-zero bit. 

In another aspect of this embodiment, the challenge is generated on the first network 
30 device, including configuring the challenge to include at least a minimum length of bits. 

In another aspect of this embodiment, the user is authenticated based on the final hash 

value. 
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In another aspect of this embodiment, a third communication including the final hash 
value is transmitted to a third network device configured to authenticate the user. 

In another embodiment of the invention, a computer program is used to control a computer 
to perform the method of the embodiment described in the preceding paragraphs 
5 In another embodiment of the invention, a computer-readable medium is provided that 

stores computer-readable signals defining instructions that, as a result of being executed by a 
computer, instruct the computer to perform the above method of the embodiment described in the 
preceding paragraphs. 

In another embodiment of the invention, a system is provided for at least partially 

1 0 authenticating a user on a communications network 

In another embodiment of the invention, a tunnel server residing on a first network device 
of a communications network at least partially authenticating a user on the communications 
network. The tunnel server includes a challenge generator to generate a challenge that is 
transmitted from the first network device to a second network device. The tunnel server further 

15 includes a final hash value generator to receive a preliminary hash value from the second network 
device, the preliminary hash value resulting from performance of only part of a hash function on 
a first part of the challenge, wherein the first part is less than the complete challenge. The final 
hash value generator is operative to complete performance of the hash function on the first 
network device to produce a final hash value. 

20 In an aspect of this embodiment, the complete performance of the hash function involves 

performing a first number of iterations, and the preliminary hash value is the result of 
performance of a second number of iterations less than the first number of iterat ions. In this 
aspect, the final hash value generator is operative to perform a third number of iterations equal to 
the first number minus the second number, resulting in a complete performance of the hash 

25 function. 

In another aspect of this embodiment, the final hash value generator is operative to 
complete the hash function using a second part of the challenge, wherein the first part and the 
second part form the complete challenge. 

In another aspect of this embodiment, the challenge includes the first part and a second 
30 part, and the second communication includes an indication of a length in bits of a user credential. 
Further, the final hash value generator is operative to complete the hash function based, at least in 
part, on the second part of the challenge and the length of the user credential. 
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In yet another aspect of this embodiment, the final hash value generator is operative to 
determine a state of the hash function based, at least in part s on the length of the user credential, 
and to for complete the hash function based, at least in part, on the determined length. 

In another aspect of this embodiment, the final hash value generator is operative to 
5 determine a length of the second part based, at least in part, on a length of the challenge and the 
length of the user credential, and to complete the hash function based, at least in part, on the 
determined length of the second part. 

In another aspect of this embodiment, the challenge generator is operative to generate the 
challenge, to generate a portion of the challenge having a length equal to a desired amount of 
10 entropy for the challenge, and to append bits to the portion of the challenge to produce the 
challenge. 

In another aspect of this embodiment, the challenge generator is operative to append sixty- 
three bits to the portion. 

In yet another aspect of this embodiment, the challenge includes a plurality of sequences 
15 (e.g., octets) of bits, and the challenge generator is operative to generate the challenge, and to 
configure one or more of the plurality of sequences to include at least one non-zero bit. 

In another aspect of this embodiment, the challenge generator is operative to generate the 
challenge, including configuring the challenge to include at least a minimum length of bits. 

In another aspect of this embodiment, the tunnel server is operative to authenticate the user 
20 based on the final hash value. 

In yet another aspect of this embodiment, the tunnel server is operative to control 
transmission of a third communication including the final hash value to a third network device 
configured to authenticate the user. 

In another aspect of this embodiment, the tunnel server is operative to control transmission 
25 of the first communication within a tunnel between the first network device and the second 
network device. 

In another embodiment of the invention, a tunnel server residing on a first network device 
of a communications network at least partially authenticating a user on the communications 
network. The tunnel server includes a challenge generator to generate a challenge that is 
30 transmitted from the first network device to a second network device. The tunnel server is 

operative to receive a preliminary hash value from the second network device, the preliminary 
hash value resulting from performance of only part of a hash function on a first part of the 
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challenge, wherein the first part is less than the complete challenge. The tunnel server further 
includes means for completing performance of the hash function on the first network device to 
produce a final hash value. 

In an aspect of this embodiment, the complete performance of the hash function involves 
5 performing a first number of iterations, and the preliminary hash value is the result of 

performance of a second number of iterations less than the first number of iterations. The tunnel 
server includes means for performing a third number of iterations equal to the first number minus 
the second number, resulting in a complete performance of the hash function. 

In another aspect of this embodiment, the tunnel server includes means for completing the 
10 hash function using a second part of the challenge, wherein the first part and the second part form 
the complete challenge. 

In another aspect of this embodiment, the challenge includes the first part and a second 
part, and the second communication includes an indication of a length in bits of a user credential. 
In this aspect, the tunnel server includes means for completing the hash function based, at least in 
15 part, on the second part of the challenge and the length of the user credential. 

In yet another aspect of this embodiment, the tunnel server includes means for determining 
a state of the hash function based, at least in part, on the length of the user credential, and for 
completing the hash function based, at least in part, on the determined length. 

In another aspect of this embodiment, the tunnel server includes means for determining a 
20 length of the second part based, at least in part, on a length of the challenge and the length of the 
user credential, and for completing the hash function based, at least in part, on the determined 
length of the second part. 

In another aspect of this embodiment, the challenge generator includes means for 
generating the challenge on the tunnel server, including means for generating a portion of the 
25 challenge having a length equal to a desired amount of entropy for the challenge, and means for 
appending bits to the portion of the challenge to produce the challenge. 

In another aspect of this embodiment, the challenge generator includes means for 
appending sixty-three bits to the portion. 

In another aspect of this embodiment, the challenge includes a plurality of sequences (e.g. 
30 octets) of bits, and the challenge generator includes means for generating the challenge, including 
means for configuring one or more of the plurality of sequences to include at least one non-zero 
bit. 
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In yet another aspect of this embodiment, the challenge generator includes means for 
generating the challenge, including means for configuring the challenge to include at least a 
minimum length of bits. 

In another aspect of this embodiment, the tunnel server includes means for authenticating 
5 the user based on the final hash value. 

In another aspect of this embodiment, the tunnel server includes means for transmitting a 
third communication including the final hash value to a third network device configured to 
authenticate the user. 

In another aspect of this embodiment, the tunnel server includes means for transmitting the 
10 first communication within a tunnel between the first network device and the second network 
device. 

In an embodiment of the invention, a user is at least partially authenticated on a 
communications network in response to a challenge received at a second network device from a 
first network device. A preliminary hash value is generated by performing only part of a hash 

15 function on a first part of the challenge wherein the first part is less than the complete challenge. 
A communication is transmitted from the second network device to the first network device, the 
communication including the preliminary hash value. 

In an aspect of this embodiment, generating the preliminary hash value includes 
performing only part of a Message Digest 5-based encryption function. 

20 In another aspect of this embodiment, a standard Message Digest 5 algorithm includes 

adding an appendage of information to information to be communicated to produce padded 
information that has a length that is a multiple of sixty-four octets, and includes inputting the 
padded information to a standard Message Digest 5 function. In this aspect, generating the 
preliminary hash value includes: (1) generating an input sequence to the Message Digest 5-based 

25 encryption function by concatenating information to be communicated from the second network 
device to the first network device; and (2) inputting the input sequence into the Message Digest 5- 
based encryption function without previously adding an appendage of information to the input 
sequence. 

In yet another aspect of this embodiment, the complete performance of the hash function 
30 involves performing a first number of iterations, and generating the preliminary hash value 
includes performing a second number of iterations less than the first number of iterations. 
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In another aspect of this embodiment, generating the preliminary hash value includes 
generating the preliminary hash value based, at least in part, on the first part of the challenge and 
a user credential. 

In another aspect of this embodiment, generating the preliminary hash value includes 
5 dividing the challenge into the first part and a second pari. The communication to include an 
indication of a length in bits of the user credential. 

In another aspect of this embodiment, generating the preliminary hash value includes: (1) 
determining a length of a concatenation of an authentication protocol identifier, a user credential 
and the challenge; and (2) dividing the challenge into the first part and a second part based on the 
10 determined length. 

In another aspect of this embodiment, the first communication is transmitted within a 
tunnel between the first network device and the second network device. 

In another embodiment of the invention, a system is provided for at least partially 
authenticating a user on a communications network. 
15 In another embodiment of the invention, a computer program is used to control a computer 

to perform the method of the embodiment described in the preceding paragraphs. 

In another embodiment of the invention, a computer-readable medium is provided that 
stores computer-readable signals defining instructions that, as a result of being executed by a 
computer, instruct the computer to perform the above method of the embodiment described in the 
20 preceding paragraphs. 

In another embodiment of the invention, a client residing on a second network device of a 
communications network at least partially authenticating a user in response to a challenge 
received on the second network device from a first network device. The client includes a 
preliminary hash generator to generate a preliminary hash value by performing only part of a hash 
25 function on a first pail of the challenge, wherein the first part is less than the complete challenge. 
The second network device is operative to transmit a communication from the second network 
device to the first network device, the communication including the preliminary hash value. 

In an aspect of this embodiment, the preliminary hash generator is operative to perform 
only part of a Message Digest 5-based encryption function. 
30 In another aspect of this embodiment, a standard Message Digest 5 algorithm includes 

adding an appendage of information to information to be communicated to produce padded 
information that has a length that is a multiple of sixty-four octets, and includes inputting the 
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padded information to a standard Message Digest 5 function. In this aspect, the preliminary hash 
generator is operative to generate an input sequence to the Message Digest 5-based encryption 
function by concatenating information to be communicated from the second network device to the 
first network device, and to input the input sequence into the Message Digest 5-based encryption 
5 function without previously adding an appendage of information to the input sequence. 

In another aspect of this embodiment, the complete performance of the hash function 
involves performing a first number of iterations. The preliminary hash generator is operative to 
perform a second number of iterations less than the first number of iterations. 

In another aspect of this embodiment, the preliminary hash generator is operative to 
10 generate the preliminary hash value based, at least in part, on the first part of the challenge and a 
user credential. 

In yet another aspect of this embodiment, the preliminary hash generator is operative to 
divide the challenge into the first part and a second part, and to configure the communication to 
include an indication of a length in bits of the user credential. 
15 In another aspect of this embodiment, the preliminary hash generator is operative to 

determine a length of a concatenation of an authentication protocol identifier, a user credential 
and the challenge, and to divide the challenge into the first part and a second part based on the 
determined length. 

In another aspect of this embodiment, the client is operative to control transmission of the 
20 first communication within a tunnel between the first network device and the second network 
device. 

In another embodiment of the invention, a client residing on a second network device of a 
communications network at least partially authenticating a user in response to a challenge 
received on the second network device from a first network device. The client includes means for 
'25 generating a preliminary hash value by performing only part of a hash function on a first part of 
the challenge, wherein the first part is less than the complete challenge. The second network 
device is operative to transmit a communication from the second network device to the first 
network device, the communication including the preliminary hash value. 

In an aspect of this embodiment, the means for generating includes means for performing 
30 only part of a Message Digest 5-based encryption function. 

In another aspect of this embodiment, a standard Message Digest 5 algorithm includes 
adding an appendage of information to information to be communicated to produce padded 
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information that has a length that is a multiple of sixty-four octets, and includes inputting the 
padded information to a standard Message Digest 5 function. 1 n this aspect, the means for 
generating includes means for generating an input sequence to the Message Digest 5-based 
encryption function by concatenating information to be communicated from the second network 
5 device to the first network device, and means for inputting the input sequence into the Message 
Digest 5-based encryption function without previously adding an appendage of information to the 
input sequence. 

In an aspect of this embodiment, the complete performance of the hash function involves 
performing a first number of iterations. The means for generating includes means for performing 
1 0 a second number of iterations less than the first number of iterations. 

In an aspect of this embodiment, the means for generating includes means for generating 
the preliminary hash value based, at least in part, on the first part of the challenge and a user 
credential. 

In an aspect of this embodiment the means for generating includes means for dividing the 
15 challenge into the first part and a second part, and means for configuring the communication to 
include an indication of a length in bits of the user credential. 

In yet an aspeci of this embodiment, the means for generating includes means for 
determining a length of a concatenation of an authentication protocol identifier, a user credential 
and the challenge, and means for dividing the challenge into the first part and a second part based 
20 on the determined length. 

In an aspect of this embodiment, the client further includes means for controlling 
transmission of the first communication within a tunnel between the first network device and the 
second network device. 

Other advantages, novel features, and objects of the invention, and aspects and 
25 embodiments thereof, will become apparent from the following detailed description of the 

invention, including aspects and embodiments thereof, when considered in conjunction with the 
accompanying drawings, which are schematic and which are not intended to be drawn to scale. In 
the figures, each identical or nearly identical component that is illustrated in various figures is 
represented by a single numeral. For purposes of clarity, not every component is labeled in every 
30 figure, nor is every component of each embodiment or aspect of the invention shown where 

illustration is not necessary to allow those of ordinary skill in the art to understand the invention. 
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BRJEF DESCRIPTION OF TOE DRAWINGS 

In the drawings: 

Fig. 1 is a block and information flow diagram illustrating an example of a known system 
for encapsulating inner protocol communications within a tunnel provided by a tunneling 
5 protocol; 

Fig. 2 is a flowchart illustrating an example of a known method of authenticating a user 
according to an MD5 algorithm; 

Fig. 3 is an information flow diagram illustrating a known method of generating an MD5 
hash value from an MD5 hash function input sequence; 
10 Fig. 4 is a flowchart illustrating an example of a method of authenticating a user on a 

communications network according to one or more embodiments of the invention; 

Fig. 5 is a block diagram illustrating an example of a data structure of a payload of a 
communication, including a challenge, transmitted from a tunnel server to a client in accordance 
with one or more embodiments of the invention; 
15 Fig. 6 is a flow' chart illustrating an example of a method of generating a preliminary hash 

value using a first part only of a challenge in accordance with one or more embodiments of the 
invention; 

Fig. 7 is a block diagram illustrating an example of a data structure of a payload of a 
communication, including a response, transmitted from a client to a tunnel server in accordance 
20 with one or more embodiments of the invention; 

Fig. 8 is a flow chart illustrating an example of a method of generating a final hash value 
on a tunnel server in accordance with one or more embodiments of the invention; 

Fig. 9 is a block diagram illustrating an example of a system for authenticating a user in 
accordance with one or more embodiments of the invention: 
25 Fig. 1 0 is an information flow diagram illustrating an example of a preliminary hash 

generator generating a preliminary hash value in accordance with one or more embodiments of 
the invention; 

Fig. 11 is an information flow diagram illustrating an example of a final hash generator 
generating a final hash value based on a preliminary hash value and a second part of a challenge 
30 in accordance with one or more embodiments of the invention; 

Fig. 12 is a block diagram illustrating an example of a general-purpose computer system 
that can be used to implement one or more embodiments of the invention; and 
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Fig. 13 is a block diagram illustrating an example of a memory sub-system of a general- 
purpose computer system that can be used to implement one or more embodiments of the 
invention; 



5 DETAILED DESCRIPTION 

Although the systems and methods described below are described primarily in relation to 
exchanging communication on a network in accordance with a tunneled authentication protocol, 
the systems and methods described herein are not limited thereto, but may be applied to any 
exchange of communications between devices, for example, any exchange of communication on a 

10 network involving encryption of data. Further, although the systems and methods described 

below are described often in illustrative relation to use of an MD5-based authentication protocol 
and/or an MD5-based hashing function, the systems and methods described herein are not limited 
thereto, as other authentication protocols and hashing functions may be used. 

Described herein are systems and methods for preventing a MiM attack without 

1 5 combining encryption keys of an inner protocol and a tunneling protocol. 

The performance of a hash function (e.g., a one-way hash function such as an MD5-based 
hash function) may be split between logical components residing on separate network devices. 
For example, in response to a challenge issued by a tunnel server on a first network device, a 
client on a second network device may initiate performance of a hash function and generate an 

20 intermediate result of the hash function (i.e., a preliminary hash value). The second network 
device then may transmit the preliminary hash value to the tunnel server on the first network 
device as part of a response to the challenge. The tunnel server then may complete the hash 
function to produce a final hash value. The final hash value then may be used to authenticate a 
user. 

25 A challenge issued by a tunnel server may be divided into a first part and a second part by 

a client. The client may use the first part only to generate a response to the challenge (e.g., a 
preliminary hash value), and the tunnel server may use the second part of the challenge to produce 
a final hash value. For example, the tunnel server may use the preliminary hash value as an 
initialization vector to a hash function (e.g., a one-way hash function such as an MD5-based hash 

30 function) and use the second part of the challenge to create a hash function input sequence for the 
hash function, and then perform the hash function to produce the final hash value. The final hash 
value then may be used to authenticate a user. 
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The final hash value resulting from splitting performance of the hash function, which may 
include dividing the challenge into parts, may be the same as a hash value that would be produced 
using known authentication protocols, e.g. MDC or CHAP, to respond to the challenge. Thus, the 
final hash value may be sent as a response to an authentication server in accordance with a known 
5 protocol, such as MDC or CHAP. Accordingly, the preliminary hash value may be converted to a 
final hash value that may be used by known protocols to authenticate a user. Conversely, a final 
hash value generated by a known protocol cannot be converted to a preliminary hash, for 
example, by an attacker, for reasons that will become clear below. 

A MiM attack may be prevented by: splitting performance of a hash function and/or 

10 dividing the challenge into first and second parts, as described above, for authentication 

performed within a secure tunnel; and performing known authentication outside of tunnels. As a 
result, an attacker could not launch a MiM attack as described above because the response (i.e., a 
final hash value) that the attacker would learn outside of the tunnel in response to a particular 
challenge would not be the same as the response (i.e., a preliminary hash value) that the tunnel 

15 server would be expecting inside of the tunnel in response to the same challenge. Thus, the 
attacker would fail to authenticate as a user inside of the tunnel. Accordingly, use of known 
MD5-based protocols such as CHAP and MDC outside of a tunnel can be protected against a 
MiM attack. 

The function and advantages of these and other embodiments of the present invention will 
20 be more fully understood from the examples described below. The following examples are 

intended to facilitate an understanding of the invention and illustrate the benefits of the present 

invention, bin do not exemplify the full scope of the invention. 

Examples 

Although the systems and methods described herein are not limited to use of an MD5 hash 
25 function, an MD5 hash function will be used as an illustrative example throughout this 

application. Accordingly, the following terms will be used for illustrative purposes and will have 
the following meanings throughout this application: 

• f(x,y) is an MD5-based hash function, where x is a 1 6-octet vector and y is a 64-octet 
message segment; 

30 •Visa] 6-octet vector that is input to and output by the MD5 hash function, where 

- V [0| = 1, the fixed MD5 initialization vector; and 
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- V [n], with n > 0, is the output of the (n - l)th iteration of the hash function 
F(x,y), and input to the nth iteration of the hash function f(x,y); 

• L(x) is the length, in octets, of a sequence x; 

• ID is the one octet EAP identifier; 
5 • P is the user password; 

• C is the challenge; 

• Sis the sequence ID|P|C, which, for known MD5-based protocols, is the sequence 
(i.e., message) from which a hash function input sequence is generated for the known 
MD5 function; 

10 • CI and C2 are two subsequences (i.e., parts) of the challenge C, which, when 

concatenated, form the entire challenge; i.e., C = CI |C2. C 1 is the part of the 
challenge that will be hashed by the client to produce a preliminary hash value, as will 
be described in more detail below, and C2 is the part that will be used by the tunnel 
server to generate a final hash value from the preliminary hash. The challenge may be 

15 partitioned such that L (ID|P|C1) is an exact multiple of 64 octets, as described more 

fully below; 

• C1M1N is the minimum length of CI that may be required to provide at least a desired 
amount of sufficient challenge entropy; thus, L (CI) must be > = CI MIN; 

• S' is the sequence ID|P|C1, which is the portion of S that may be hashed by the client 
20 as will be shown below; L (S') may be configured to be a multiple of 64 octets; 

• N is the number of 64-octet segments in S'; i.e., L (S') = 64* N; 

• R' is the client 16-octet response, based on the new MD5-based algorithm described 
below; 

• R is the response computed by the tunnel server, as described below in more detail, 

25 based on R' and C2. R is the response that would result by performing a known MD5- 

based authentication protocol on the complete challenge C. 
Fig. 4 is a flowchart illustrating an example of a method 400 of authenticating a user on a 
communications network according to an embodiment of the invention. In an embodiment, in 
order to avoid a MiM attack, a client uses method 400 for all communications transmitted within a 
30 tunnel across a communications network, but uses a different protocol, for example, CHAP or 
MDC, for communications outside of a tunnel. 
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In Act 402, a challenge is generated for a user. For example, the challenge is generated by 
an authentication server which may reside on a same network device as the tunnel server or on a 
separate network device, in which case the tunnel server is logically interposed on a network 
device between the network device on which the authentication server resides and the network 
5 device on which the client resides. 

The challenge may be conditioned (i.e., configured) in any of a variety of ways. For 
example, the challenge may be configured to have a length that provides at least a minimum 
amount of entropy. In an embodiment, the challenge is an MD5 challenge, where the MD5 
challenge is conditioned to have a length of at least four octets to provide a minimum amount of 

10 entropy. As will be described in more detail below, the client may be configured to use only a 
portion, CI, of the challenge, C, to generate a response to the challenge. Accordingly, if the 
challenge is an MD5 challenge, then Act 402 may include adding an additional amount of 
challenge material (e.g., 63 octets) to the challenge beyond the minimum desired entropy, 
C1MIN, of the part of the challenge used by the client. A challenge padded with extra 

15 information (e.g., extra bits or octets of bits (e.g., 63)) is referred to herein as a "padded 

challenge." For example, in an embodiment of the invention, C1MENN16, and, therefore, the 
padded challenge is configured to have a length of 79 (16+63) octets. Configuring the padded 
challenge such that L(C)=ClMIN+63 may ensure a minimum length, C1M1N, of CI because of 
the manner in which the challenge, C, is partitioned into CI and C2, for example, as described 

20 below in more detail in relation to Act 602 of method 600. 

Although the probability is low, the hash function input sequence (e.g., 1 002 described 
below in relation to Fig. 10) generated in accordance with embodiments of this invention could, 
theoretically, include the same sequence of bits as the hash function input sequence 302 (Fig. 3) 
generated in accordance with known MD5 algorithms. For example, an attacker could launch a 

25 MiM attack, send a challenge to a client outside of a tunnel using an MD5 protocol and elicit a 
response that is identical to a response that could result from performance of Act 406 and/or 
method 500. 

As described above, hash function input sequence 302 includes a message length octet 316 
that indicates the length of message 3 1 0. In an embodiment of the invention in which the 
30 challenge is an MD5 challenge, the MD5 challenge generated by Act 402 may be configured so 
that Act 406 cannot produce a hash function input sequence (e.g., 1002) that is possibly the same 
as a hash function input sequence 302 generated in accordance with known MD5 algorithms. For 
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example, the MD5 challenge may be configured such that no eight-octet sequence of the 
challenge has a binary value that could possibly represent a length of an MD5 message 310. 
Accordingly, no last eight-octet sequence of the first part of the challenge (e.g., 1 004) could 
possibly have a same value as an eight-octet message length 3 16 of the hash function input 
5 sequence 302 generated using a known MD5 algorithm. Act 402 may achieve this goal in any of 
a variety of ways, for example, by configuring each octet of the challenge to have a non-zero 
value (i.e., include at least one logical "1"). Any eight-octet sequence resulting from combining 
such non-zero octets will have a value that is too large to be equal to an eight-octet message 
length 316 resulting from an MD5 algorithm performed outside of a tunnel. 

10 Returning to method 400, in Act 404, a first communication is transmitted from a first 

network device on which the tunnel server resides to a second network device on which a client 
resides. This first communication includes the challenge. 

Fig. 5 illustrates, diagrammatically, an example of a data structure of a payload 500 of a 
first communication transmitted from the first network device to the second network device. It 

15 should be appreciated that payload 500 does not include any header information that may be 
included as part of the first communication. The type field 502 is one octet and may be set to a 
value that indicates the type of the authentication protocol, for example, a protocol for 
implementing method 400. The client may use Field 502 to determine to implement a protocol in 
accordance with method 400 as opposed to known protocols such as CHAP or MDC. Value-size 

20 field 504 is one octet in length and indicates the length of the variable-length challenge field 506. 
Challenge field 506 includes the challenge. Name field 508 may be used to identify the first 
network device or For another purpose. 

After performance of Act 404 and before performing Act 406, the client may verify that 
the transmitted challenge meets certain requirements. For example, the client may verify that the 

25 challenge has at least a minimum length in octets, for example, a certain number of octets (e.g., 
63) greater than the minimum desired entropy, CIMIN, of the first part of the challenge. Further, 
the client may verify that a first part of the challenge will not have a last eight-octets that may 
possibly have a same value as an eight-octet message length field of a hash function input 
sequence that could be produced by known MD5 algorithms. For example, client may verify that 

30 each octet of the challenge has a non-zero value. 

If the client determines that any requirements of the challenge are not met, then the client 
may be configured to refuse to proceed with the authentication process, and may send a 
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communication to the tunnel server indicating a failure of the challenge to meet these 
requirements. 

Similarly, if the tunnel server is serving as an intermediate server between an 
authentication server that issues the challenge and the client, then the tunnel server may not 

5 generate the challenge in Act 402, but may receive the challenge from the authentication server. 
In such a case, the tunnel server may require that the challenge meet certain requirements, for 
example, requirements similar to or the same as those that may be imposed by the client when it 
receives the challenge from the tunnel server. If the tunnel server determines that any 
requirements of the challenge are not met, then the tunnel server may be configured to refuse to 

10 proceed with the authentication process, and may send a communication to the authentication 
server indicating a failure of the challenge to meet these requirements. 

Returning to method 400, in Act 406, a preliminary hash value may be generated using a 
first part only of the challenge, for example, as described below in more detail in relation to 
method 600. The preliminary hash value is "preliminary 55 in the sense that it is not the final result 

1 5 of the complete hash function, but merely a hash value resulting from performance of only part of 
the hashing function on a first part only of the hashing function. 

Fig. 6 is a flow chart illustrating an example of a method 500 of generating a preliminary 
hash value using a first part only of a challenge. 

In Act 602, the challenge is partitioned into a first part (CI) and a second part (C2). The 

20 challenge may be partitioned as follows. First, the length of second part C2, L(C2), may be 

determined by performing the following operation: L(C2)=L(1D|P|C) MOD 64. For example, if 
the length, in octets, of ID|P|C is one hundred, then the length, in octets, of C2 is thirty-six. From 
L(C2), the length in octets of the first part, L(C1), may be determined, for example, by performing 
the following operation: L(C2)=L(C )-L(C2) . In the previous example, L(C1)=64. 

25 In Act 604, an authentication protocol identifier (e.g., an EAP-ID), a user credential (e.g., 

a password) and the first part of the challenge are concatenated together (in the order listed in this 
sentence) to produce a hash function input sequence, S HD|P|C1 . An example of such a hash 
function input sequence is illustrated by hash function input sequence 1002 in Fig. 10. 

In one or more embodiments of the invention, the hash function initiated by method 600 

30 and completed in method 800 is an MD5-based hash function. In such embodiments, unlike 

known MD5-based algorithms, method 600 does not include adding an appendage, for example, 
appendage 317 of Fig. 3 to the message to be hashed, S\ As will be described in more detail 
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below in relation to method 800, later during the performance of method 400, this appendage may 
be added to the second part of the challenge, C2, by the tunnel server to complete the hash 
function. As described above, an MD5-based hash function involves performing multiple 
iterations on sixty-four octet sequences of an input sequence. The appendage has a minimum 
5 length of nine octets. Thus, if L(C2) > fifty-six octets, then the addition of the appendage causes 
the length of the input sequence to exceed sixty- four octets. Accordingly, octets of zeroes are 
added to produce an input sequence having a length of one hundred twenty-eight octets, 
necessitating that the tunnel server perform two iterations of the hash function, which are the last 
two iterations of the hashing function. If L(C2) < fifty-six octets, then the addition of the 
10 appendage does not exceed sixty-four octets, and the tunnel server performs only the last iteration 
of the hash function. 

Accordingly, in Act 606, all but the last one or two iterations of the hash function may be 
performed on the hash function input sequence to produce the preliminary hash. For example, if 
the hash function is an MD5-based hash function, and L(C2) > fifty-six octets, Act 606 may 

15 perform all but the last two iterations of the hash function. If the hash function is an MD5-based 
hash function, and If L(C2) < fifty-six octets, Act 606 may perform all but the last iteration of the 
hash function Such hash function may be any of a variety of hash functions, and may be any of a 
variety of types of hash functions, for example, a one-way hash function. A one-way hash 
function is a hash function which is cryptographically difficult to invert. In other words, if the 

20 hash function input sequence = /, the hash value = h, and the hash function = f(i) such that h-f(i) 9 
then it is inf easible to determine / given h One-way hash functions often are used to generate 
digital signatures. An MD5-based hash function is an example of a one-way hash-function. 

Returning to method 400, in Act 408, a second communication is transmitted from the 
second network device on which the client resides to the tunnel server on the first network device. 

25 The second communication includes the preliminary hash value. This second communication also 
may include an indication of a length of a user credential, for example, a length of a user 
password. This indication may indicate the length in octets of the user credential, for example, 
the length in octets of a user password, L(P). This preliminary hash value may serve as the 
client's response to the challenge. 

30 Fig. 7 diagrammatically illustrates an example of a payload 700 of the second 

communication transmitted from the second network device to the first device. It should be 
appreciated that payload 700 does not include any header information that may be included in the 
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second communication. Type field 702 may have a length of one octet and may be set to the 
value of a type of authentication protocol, for example, a protocol for implementing method 400. 
The tunnel server may use field 702 to determine to implement a protocol in accordance with 
method 400, as opposed to known protocols CHAP or MDC. Value size field 704 may have a 
5 length of one octet and may indicate the length of the response field 706. Response field 706 may 
include the preliminary hash value. The octets-used field 708 may have a length of one octet and 
may indicate the length of a user credential (e.g., a password) with which the client responds to 
the challenge. The name field 710 may be used to identify the client or may be used for other 
purposes. 

10 Returning to method 400, in Act 410, the tunnel server generates a final hash value by 

completing the hash function, for example, as described below in more detail in relation to 
method 800. In one or more embodiments of the invention, the final hash value resulting from 
performance of Act 410 is equal to a hash value that would result if a the complete hash function 
were performed on the entire challenge by the client itself, for example, in accordance with 

15 known hashing functions such as MD5. 

Fig. 8 is a flow chart illustrating an example of a method 800 of completing a preliminary 
hash value on a tunnel server. 

In Act 802, the tunnel server establishes the current state of the hash function. For 
example, if the hash function is an MD5-based hash function, the state of the algorithm after each 

20 iteration includes: a count of the number of octets already processed by the hash function; and the 
value of vector V. The count state may be computed based on the. length in octets of the user 
credential (e.g., password) included in the second communication. The vector V may be the 
preliminary hash value, R\ 

Act 802 may include Act 804 to calculate the length of the second part of the challenge, 

25 L(C2). For example, if the challenge is an MD5-based challenge, Act 804 may include 

performing the following operation: L(C2>=(IXID)+L(P)*L(C)) MOD 64. The values of L(ID) 
and L(C) are known by the tunnel server because the tunnel server transmitted the challenge and 
protocol ID to the client in the first communication. L(P) is determined from the second 
communication. 

30 In Act 806, also within Act 802, the length of the portion of the concatenation of the 

authentication protocol identifier; the user credential; and the challenge, that has already been 
processed by the hash function, may be determined. For example, if the hash function is an MD5- 
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based hash function, the length of such portion of the concatenation may be determined by the 
following operation: L(S , )=(L(ID)+L(P)+L(C))-L(C2). 

In a following Act 808, the hash function may be initialized to the state established in Act 

802. 

5 In Act 8 1 0, the input sequence for the remaining one or two iterations of the hash function 

may be generated using the second part of the challenge. For example, if the hash function is an 
MD5-based hash function, then Act 810 may include appending (in the following order) the 
following appendage to the second part of the challenge: a hex 80 octet, padding octets and an 
eight-octet message length. For example, the remaining iterations input sequence may be input 

10 sequence 1 1 00 illustrated below in relation to Fig. 9. 

In some embodiments, for example, when the hash function is an MD5-based hash 
function, the number of remaining iterations depends on the length in octets of the second part of 
the challenge, L(C2). As described above in relation to method 600, if L(C2) > fifty-six octets, 
then the addition of the appendage produces an input sequence having a length exceeding sixty- 

1 5 four octets, and the number of remaining iterations is two. If L(C2) < fifty-six octets, then the 
addition of the appendage produces an input sequence having a length that does not exceed sixty- 
four octets, and the number of remaining iterations is one. 

In Act 812, the hash function may be completed using the remaining iterations input 
sequence and the preliminary hash value. Per example, if the hash function is an MD5-based 

20 hash function, then the final hash value resulting from the completion of the hash function is 
R=F(R', M[n)), where M[n]= : the remaining iterations input sequence. 

Returning to method 400, in a following Act 412, the user may be authenticated based on 
the final hash value. For example, the first network device may include an authentication server 
for authenticating the user, or the final hash value may be transmitted to an authentication server 

25 on a separate network device. 

If the authentication server resides on the first network device, the authentication server 
may perform authentication by generating another preliminary hash value using the credential, for 
example, using the same technique as described above in relation to Act 406, and comparing this 
other preliminary hash value to the preliminary hash value received from the client. 

30 Alternatively, the authentication server may perform the entire hash function and compare the 
resulting final hash value to the final ha:h value resulting from Act 410. It should be appreciated 
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that the tunnel server and the authentication server may be integrated as a single logical 
component on the first network device. 

In one or more embodiments of the invention, if the final hash value is sent to the 
authentication server, such final hash value is the same hash value that would be sent to the 
5 authentication server if the client itself had performed the entire hash function on the challenge. 
Methods 400, 600 and 800 may include additional acts, and are merely illustrative 
embodiments of a method of authenticating a user on a network by splitting performance of a 
hashing function between a client and a tunnel server. Such illustrative embodiments are not 
intended to limit the scope of the invention. Any of numerous other implementations for 

1 0 authenticating a user by splitting performance of a hashing function between a client and a tunnel 
server, for example, variations of methods 400, 600 and 800 are possible and are intended to fall 
within the scope of the invention. 

Methods 400, 600 and 800, acts thereof and various embodiments and variations of these 
methods and acts, individually or in combination, may be defined by computer-readable signals 

15 tangibly embodied on a computer-readable medium, for example, a non-volatile recording 
medium, an integrated circuit memory e! : r :nt, or a combination thereof. Such signals may 
define instructions, for example, as part f ons or more pre - rams, that, as a result of being 
executed by a computer, instruct the computer to perform one or more of the methods or acts 
described herein, and/or various embodiments, variations p.r.d combinations thereof Such 

20 instructions may be written in any of a plurality of programming languages, for example, Java, 
Visual Basic, C, C#, C++, Fortran, Pasc: \ Eiffel, Basic, COBOL, etc., or any of a variety of 
combinations thereof The computer-rc: 1 bb medium on which such instructions are stored may 
reside on one or more of the component ■ System 900 described below, and may be distributed 
across one or more of such components. 

25 The computer-readable medium . be transportable such that the instructions stored 

thereon can be loaded onto any compute ystem resource to implement the aspects of the present 
invention discussed herein. In addition, hould be appreciated that the instructions stored on the 
computer-readable medium, described :vc, are not limrtsd to instructions embodied as part of 
an application program running on a he :rn puter. Rather, the instructions may be embodied as 

30 any type of computer code (e.g., softw:. r microcode) that can be employed to program a 
processor to implement the abovc-disc\. .? inspects of the present invention. 
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It should be appreciated that any single component or collection of multiple components 
of a computer system, for example, the computer system described below in relation to Figs. 12 
and 13, that perform the functions described above with respect to describe or reference the 
method can be generically considered as one or more controllers that control the above-discussed 
5 functions. The one or more controllers can be implemented in numerous ways, such as with 
dedicated hardware, or using a processor that is programmed using microcode or software to 
perform the functions recited above. 

Fig. 9 is a block diagram illustrating an example of a 900 for authenticating a user in 
accordance with one or more embodimcrils of the invention. 
10 System 900 may include client 9C2 residing on a second network device 901, network 

909, network 936, tunnel server 914 residing on a first network device 913, and authentication 
server 926 which may reside on first network device 913 or another network device. Client 902 
may be configured to receive challenges, for example, challenge 932, outside of a network tunnel 
across a network 936. Further, client 9C2 may be configured to transmit responses, for example, 

1 5 response 934 outside of a tunnel across network 936. The client 902 also may be configured to 
receive a challenge 912 (e.g. a padded challenge as described above in relation to Act 402 of 
method 400) from tunnel server 914 an.! \o generate and transmit a preliminary hash value 910 
within a tunnel 908 across network 909 i . timnel server 914, for example, in accordance with 
Acts 404 and 406 and method 600. Th: , reliminary hash 910 may be transmitted within a 

20 communication 91 1 (e.g., communicator; 500), which also may include a user credential length 
920 (e.g. password length). 

The client 902 may include a p: !! ! naiy hash value generator 904 to receive an 
initialization vector and a hash function inf.ut sequence, and to generate preliminary hash value 

91 0, for example, as described above in ' ition to Act 406 and method 600. Client 902 also may 
25 include hash value generator 906, whiV nay be configured to generate a hash value in 

accordance with Acts 206 and 208. Fcr sample, hash value generator 906 may be configured to 
operate similar to or the same as hash v 1 c generr.-or 104 described above in relation to Figs. 1 
and 3. Preliminary hash valve genera! n 0 i and tash value generator may be a same component 
configured (e.g., programmed or hard-v ; :d) to generate final hash values or preliminary hash 
30 values depending on the autlv: nticotio: , col bring used for a particular session. For example, 
the client may be configured to detonr.;;, '..s authentication protocol for a session based on an 
authentication protocol identifier recei* ■ .* l/i communication 932 or 911. 
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The tunnel server 914 may be configured to generate a challenge 912, which may be a 
challenge padded as described above in relation to Act 402 of method 400, and to transmit it 
through tunnel 908 across network 909 to the client 902, for example, as described above in 
relation to Acts 402 and 404 of Fig. 4. The tunnel server 914 may include a padded challenge 
5 generator 918 to generate the challenge of 912. Padded challenge generator also maybe 

configured to generate non-padded challenges in accordance with know authentication protocols. 
The tunnel server 914 also may be configured to receive preliminary hash value 910 transmitted 
from the client through the tunnel 908 across network 909, and to complete the hash fimction to 
produce the final hash value 922, for example, as described above in relation to Act 410 of 

10 method 400 and method 800. The tunnel server 914 may include a final hash value generator 916 
to generate the final hash value 922. 

If the authentication server 926 does not reside on network device 913, the tunnel server 
914 may be configured to transmit the final hash value 922 to the authentication server 926 so that 
the authentication server 926 may perform the authentication, for example, as described above in 

1 5 relation to Act 4 12 of method 400. 

As described above, in one or more embodiments, the challenge 912 is not generated by 
the tunnel server 914, but is generated by the authentication server 925 residing on a separate 
network device. In such case, the authentication server 926 may include a padded challenge 
generator 930 that generates challenge 924 (which may be a padded challenge), which is 

20 forwarded through the tunnel 908 as challenge 912 by the tunnel server 911. 

Fig. 10 is an information flow dbg; am illustrating an example of a preliminary hash value 
generator 906 generating a pre!hr;ina y hash value 910. 

The preliminary hash value generator 904 may be configured to receive the initialization 
vector 1012 and a hash function input sequence 1002. As described above in relation to Acts 602 

25 and 604 of method 600, the hash fun tic n Input sequence 1002 may delude- authentication 

protocol identifier 1008, urerci lent -1 IC?6, and a firs! part of the th*»!lcn« j 1004. The hash 
function input sequence 1002 in. j be cc,afi£urv:i such that the preliminary hash value generator 
906 receives the information in the c: dc. p: escnted in the previous aM'.: ncc, specifically: 1008, 
1006, 1004. The preliminary h : :i v: la. generator 90-1 then may ge;..n\.t\» th:, preliminary hash 

30 value 910 as described above i:. r?h::;>r. *c Act 506 of method 600. 
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Fig. 1 1 is an information flow diagram illustrating an example of a final hash value 
generator 916 generating a final hash value 922 based on a preliminary hash value 910 and a 
second part of a challenge 1 1 10. 

The final hash value generator 916 may be configured to receive the preliminary hash 

5 value 910, generated by the preliminary hash value generator 904, and the remaining iterations 
input sequence 1100, and produce final hash value 922. The final hash value generator 916 may 
be initialized to the current state of the hashing function, as described above in relation to Act 808 
of method 800. The preliminary hash 910 may serve as current vector, V, of the hash function. 
The remaining iterations input sequence 1100 may include appendage 1 102 and the 

10 second part of the challenge i 110. As described above, appendage 1 102 may include an eight- 
octet message length field 1 104, padding octets 1 106, and a hex 80 octet 1 108. The remaining 
iterations input sequence 1 100 may be configured such that the final hash generator receives the 
information included therein in the following order: 1 1 10, HQS, 1 106, 1 104. 

Client 902, tunnel server 911, authentication server 926 and components thereof, including 

15 preliminary hash value generator 901, hnr.h value; generator 906, final hash value generator 916 
and padded challenge generator 91 3 may be implemented using software (e.g., code in C, C#, 
C-H-, Java, or a combination therzoi), h" ■ varc (e.g., or.o or more nj^Hcation-specific integrated 
circuits), firmware (e.g., ele^Lric::lIy-p.- w . .-..nrnul memory) or any combination thereof. For 
client 902, tunnel server 91 A and auth r - icntion server 926, one or mere of the components of 

20 each may reside on a single . yst m, c: r : or more components rnny reside on separate, discrete 
systems. Further, each com^nc/st m: y V : distributed across multiple systems, and one or more 
of the systems may be inter?: nnccl.d. 

Further, on each of the or .: : r r ^ systems that include c ie or more of the components, 
each of the components may res; 1 ? ir , -r nv:re locations on the system. For example, 

25 different portions of the co on 'r>\. / 3sid-: in 'Hfip rent crcr.s o p v emery (e.g., RAM, ROM, 
disk, etc.) on the system, p . < r~ -"y npr -an 1 ;'. Each rf r-ch r .c or more systems may 
include, among other com]: nen'r, :< ; V • T: !y of known components r.uch as one or more 
processors, a memory syst: . , r. 'irk . : ^ system, cv.z or -:rz nct-.-crk in'.-srfaces, and one or 
more busses or other inter: . : c:.: \. ■•' :n !>.ks intc; :or.\..-. various components. Each 

30 of client 902, tunnel serve: 71 ' ' "v". .Lica-'on server 926 may be implemented on a computer 
system described below in., -^'i : 12 id 13. 
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System 900 is merely an illustrative embodiment of a system for authenticating a user by 
splitting performance of a hashing function between a client and a tunnel server. Such an 
illustrative embodiment is not intended to limit the scope of the invention, as any of numerous 
other implementations of authenticating a user by splitting performance of a hashing function 

5 between a client and a tunnel server, for example, variations of system 900, are possible and are 
intended to fall within the scope of the invention. 

Various embodiments according to the invention may be implemented on one or more 
computer systems. These computer systems, may be, for example, general-purpose computers 
such as those based on Intel PENTIUM lypc processor, Motorola PowerPC, Sun UltraSPARC, 

10 Hewlett-Packard PA-RISC processor. , c: / any oilier type of processor. It should be appreciated 
that one or more of any typo ccm;r.:U:: sys.-m may be used to authenticate a user by splitting 
performance of a hashing function be!* ■■cm a client and a tunnel server according to various 
embodiments of the invention. Further. lho so:: ware design system may be located on a single 
computer or may be distributed ainon^ :*. plurality of computers attached by a communications 

1 5 network. 

A general-purpose computer era according ;o one embodiment of the invention is 

configured to authenticate performance ofa hashing function between a client 

and a tunnel server. It shoi:!d U app: ? ;: ..;:;! that the system r.r.y perform c:her functions, and the 
invention is not limited to-havi.. w . e!ar functk ;i or 5.ei offunctiens. As used herein, a 

20 "set" of items may include :.a.. . . ."each "len.j. 

For example, varioe.; asp.. inv«.:ticn i/.ay be implemented a^ specialized software 

executing in a general-pur,... ... c;„, p ■ : y:Jx 1200 such as that shown in Figure 12. The 

computer system 1200 may include a A ,.\.ccssor 1203 connected to one or more memory devices 
1204, such as a disk drive, mcacry, i . . \cr device fi>r jtoria- data, fernery 1204 is typically 

25 used for storing program., J „. o; ..aiion cIVae caa./Jler : p...e.a 1200. Components 

of computer system 1200 ...ay ' : c a .. !. " ; aa int.R- aacc:.\.a iacchaaicia 1205, which may 

include one or more bussj. (e.^ : . • ;np jnt/.u lhat a. . L.^epvic J within a same machine) 

and/or a network (e.g., b. .... _ .. , reside on :xparate discrete machines). The 

interconnection mechanL.. \l .a. siilea.Lns LoJ-i.ctions) to be 

30 exchanged between syste.a . . .... *c;....m 1230. Ccmpaier sy..teni 1200 also includes 

one or more input device:; \lZl i :~r:. ....; L. a kcj^card, la./asc, trackball, microphone, touch 
screen, and one or more ci: Ja.ic 1. cxc..., La ;. ; r!. J .-vice, display screen, 
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speaker. In addition, computer system 1200 may contain one or more interfaces (not shown) that 
connect computer system 1200 to a communication network (in addition or as an alternative to the 
interconnection mechanism 1205). 

The storage system 1206, shown in greater detail in Fig. 13, typically includes a computer- 

5 readable and-writeable nonvolatile recording medium 1301 in which signals are stored that define 
a program to be executed by the processor or information stored on or in the medium 1301 to be 
processed by the program. The medium may, for example, be a disk or flash memory. Typically, 
in operation, the processor causes data to be read from the nonvolatile recording medium 1301 
into another memory 1302 'hat allows for faster access to the information by the processor than 

10 does the medium 1301. This memory 1202 is typically a volatile, random access memory such as 
a dynamic random access memory (DRAM) or static memory (SRAM). It may be located in 
storage system 1206, as shown, or in memory system 1204, not shown. The processor 1203 
generally manipulates the cu.Ui within Lhc integrated circuit memory 1204, 1302 and then copies 
the data to the medium 130 1 alter precising is completed. A variety of mechanisms are known 

15 for managing data movement between the medium 1301 and the integrated circuit memory 
element 1204, 1302, and the invention is not limited thereto. The invention is not limited to a 
particular memory system ilO-1 or sU,i\- z jyjtcm 12C5. 

The computer sysu... 1 . may inch: .^jcially-p.'ogrammed, special-purpose hardware, for 
example, an application-;;,. :xh"j intc^ir.ied circuit (ASIC). Aspects of the invention may be 

20 implemented in software, I/m J. mux or i".,.. 3 ware, or any combination there f. Further, such 

methods, acts, systems, r,\ i- c!cm:....: ;.::.! components thereof may be h.iplementcj as part of 
the computer system desv.; i jc-J : bcvi. . . :.n independent component. 

Although compute cj s'-. :v. ' \. L . \:. .,::own by ..ay of example as one type of computer 
system upon which varioi..; :.;;pc;;L., l?C\i invention n.ay be practiced, it should be appreciated 

25 that aspects of the invent'.. ^ h; hein b implemented on the computer system as 

shown in Fig. 12. Variot.. ..j r ^u.",... jntic; 1 . n.../ be practiced on c:.c or more computers 

having a different archite^; re ce...... .ci.o thai tlu.. ..hown in Fig. 12. 

Computer system .1.,,. .nay U ... ^:.eral-purp — computer syste:.. that is programmable 
using a high-level compi::'... 1 .. i \. 0 ra 4 ;.;./. h.nguage. Z ..inputer system 12T.0 may be ,:!so 

30 implemented using spech..^ . pecia! jsc hardware. In computer system 1200, 

processor 1203 is typical ' j j .. aihLI'w , . rector such as th. well-known Pentium 

class processor available h.^i . t .. :;.:i.:n. ' 'any other processors r.rc available. Such a 
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processor usually executes an operating system which may be, for example, the Windows 95, 
Windows 98, Windows NT, Windows 2000 (Windows ME) or Windows XP operating systems 
available from the Microsoft Corporation, MAC OS System X available from Apple Computer, 
the Solaris Operating System available from Sun Microsystems, or UNIX available from various 
5 sources. Many other operating systems may be used. 

The processor and operating system together define a computer platform for which 
application programs in high-level programming languages are written. It should be understood 
that the invention is not limited to a particular computer system platform, processor, operating 
system, or network. Also, it should be apparent to those skilled in the art that the present 

10 invention is not limited to :i specific programming language or computer system. Further, it 
should be appreciated thai oii.cr appro;a iate programming languages and other appropriate 
computer systems could j bj i.^ed. 

One or more port;:.;.*, aTaae computer system may be distributed across one or more 
computer systems (not she . :*) e^iplcJ to a communications network. These computer systems 

15 also may be general-purp, .a computer } sterns. For example, various aspects of the invention 
may be distributed amoin. aaa or more . ^aiputer systems configured to provide a service (e.g., 
servers) to one or more C \...i ccrnpuk. \ . / to perform an overall task a;; part of a distributed 
system. For example, vc. Ll:j aa;,ccts a : * .:/e invention ;aav be performed c n a client-server 
system that includes con.,. .:ist. ...J ame::^ one or snore rcrver sy.;:em;; that perform 

20 various functions accord!. : :e aviai.a embodiments of the invention. These components may be 
executable, intermediate or . r reicd (e.g., Java) code which com;aaaicate over a 

communication network (e.^.. ;ntc. ..-:.) using a communication protocol (e.g., TCP/IP). 

It should be appr~. '.^.! a'.at ti. 4 a./ention ie no; limited to executing cr. any particular 
system or group of syste: ... /.:.,a, it aa./..!.: be a iu :rczl\ud that the invention not limited to any 

25 particular distributed are!.! ae;. crcc.p.jmun!:c(Lnprotoco!. 

Various embodii J' ;.e p... en: i^veatien aa.y !,e programme.: n::h<j an object- 
oriented programming la ^ ...el. a. Sr.-aKT.::: , Ja>a, C /.:1a, or 'J..' (? "harp). Other 
object-oriented program,.. 0 .nay also Le uaaJ. Alternative!}, ilmeaanal, scripting, 

and/or logical programn ; :.. w i ... w .... 0 .. . .ayleua^!. WaL as aspects cf .he i... .ation may be 

30 implemented in a non-pi ^ : l nmen! .'e.g., .,a:..ieji: - ereaL J in : : "'.ML, XML or 

other format that, when *. ......... a \. : of a ;.:ev/_. /.v.gram, read ; r.s;.:.:e of a graphical- 
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user interface (GUI) or perform other functions). Various aspects of the invention may be 
implemented as programmed or non-programmed elements, or any combination thereof. 

Having now described some illustrative embodiments of the invention, it should be 
apparent to those skilled in the art that the foregoing is merely illustrative and not limiting, having 
5 been presented by way of example only. Numerous modifications and other illustrative 
embodiments are within the scope of one of ordinary skill in the art and are contemplated as 
falling within the scope of the invention. In particular, although many of the examples presented 
herein involve specific combinations of method acts or system elements, it should be understood 
that those acts and those ei.mcni:: may ::o combined in other ways to accomplish the same 

10 objectives. Acts, elemen:.; and ilaiinv:; -.iiscussed only in connection with one embodiment are 
not intended to be exchid-.. . i; or.; a sh/.i Lr role in other embodiments. Further, for the one or 
more means-plus-function Knikatkms united in the following claims, the mean:; are not intended 
to be limited to the means .liaeiaced herein for performing the recited function, but are intended to 
cover in scope any equiv; ;..!/. means, 1::. own now or later developed, for performing the recited 

15 function. 

Use of ordinal ten... :.r.J.: as "Fir:/", "second", "third etc., in the claims to modify a claim 
element does not by itseiT a:a_ . . , iority, pr^e.'encc, or order ofene claim element over 
another or the temporal e..:._; !a . t \J.. i.As of a m^;;..;i] are performed, bat are -aaed merely as 
labels to distinguish one . : ...a having a a:ia na.ne from another element having a 

20 same name (but for use ... to disti:. j/.ijh the claim element:;. 

What is claimed i 
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CLAIMS 

1 . A method of at least partially authenticating a user on a communications network, the 

method comprising acts of: 
5 (A) transmitting a first communication from a first network device to a second network 

device, wherein the first communication includes a challenge; 

(B) in response to receiving the challenge, generating a preliminary hash value by 

performing only part of a hash function on a first part of the challenge, wherein the first part is 

less than the complete challenge; 
10 (C) transmitting a second communication from the second network device to the first 

network device, the second :: jm.\. .nic:.d:,n including ;hc preliminary hash value; and 

(D) completing pc. .brmancc of the hash function on the first network device to produce a 

final hash value. 



15 2. The method of cl :!:.-: I , \w\.^l;a act (13) comr.rii-e:;: 

performing only • . : cf .. ..Tei,.::::^ Digest 5-;;a:je<J encryption function. 

3. The method of eld./: 2. w!.cre;:: :\ standard Message Digest 5 algorithm includes adding an 
appendage of informatic. :. ..n:i. .. :o be L\;:nr.y.:::icatcj to produce pad*! d information that 

20 has a length that is a mu:.!,.;. cf. '-Lur octets, an;! includes inputting the padded information 
to a standard Message Di_. :t 5 furrier., and wherein act (13) comprises: 

(3) generating an ut .;eq..:e;,ce to the Mcs^.^e Digest 5-based encryption function by 
concatenating informal! dc :•. — u.deaUd fro.:, d;. second network device to the first 
network device; and 

25 (4) inputting the h. sequence into the Message Digest 5-based encryption function 

without previously add h.^ ... , A , r ..d. cfi;.L: \r; input sequence. 



4. The method of cd ,\ d;e *.c\>\\ !ett ( _r!.o::..ance of the hr.zV. !\i;:ction involves 

performing a first nuinl; . ..... .... !udcj .* ,;ming a second number of iterations 

30 less than the first numb.. ... at: (D^ i.. \d... ;. „r Forming a third number of 

iterations equal to the f . . . ....... ... ihc . jc. . '. L.r. r^v.lting in a cov..;:!ete performance 

of the hash function. 
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5. The method of claim 1 , wherein act (D) includes completing the hash function using a 
second part of the challenge, wherein the first part and the second part form the complete 
challenge. 

5 

6. The method of claim 1, wherein act (B) includes generating the preliminary hash value 
based, at least in part, on the first part of the challenge and a user credential. 

7. The method of claim 6, wherein act (B) includes dividing the challenge into the first part 
10 and a second part, and the method f :.'dv:r cc:np:\;es: 

(E) configuring th:: re; on.! .csr.inunicaticn t.? indue!:; an indication of a length in bits of 
the user credential, and 

wherein act (D) includes completing the hash function based, at least in part, on the second 
part of the challenge and the length cflhe user credential. 



15 



8. The method of claim 7, wherein act (D) includes: 

(1) determining a of ;!;o function based, at ] cast in part, on the length of the user 
credential; and 

(2) completing th." 1. ;...!; f. n ba„ec! : :.. !.... !.i ;- '■■■<■ dc!::\ rate. 



20 



9. The method of clai.n 7, v. here. in act (D) flir'd.e; vompriscs: 

(1) determining a L.: o ;!, th*. ..»^ond part L\.,:d. at least in part, on a length of the 
challenge and the length of tn j user e^f.jntial: and 

(2) completing the hai.h funo'daii leased, :n. least in part, on the determined length of the 
25 second part. 

10. The method J'cL.:... 1, J :.,n. r ;a\ i. ^ . f. 

(E) generating the challenge on the first network device, including generating a portion of 
the challenge having a le._:!i ^..J t . a desired i:;n.n...: .'\:n;.a:;:y for the; challenge, and 
30 appending bits to ll.e ;;oi\i./ . : .e c.!.. ff nge m ,,;v. \. . inc :!.ai!engc. 

11. The method c.f clrdnn : \v\. . n :«r' '.ncnades appending sixty-three bits to the portion. 
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12. The method of clrdm 1. where;;. [\\z chaddLnge includes a plurality of sequences of bits, the 
method further comprising an act of: 

(E) generating the challenge on the fust network device, including configuring one or 
5 more of the plurality of scqaenceo la include at least one non-zero bit. 

13. The method of claim 12, wherein each sequence is an octet of bits. 

14. The method of claim i, further comprising an act of: 

10 (E) genera'dn c :he J.nd.n 0 .. c. d.. fd. . ...:v. .;d; d.a. da, iadudin-, conjuring the 

challenge to include at lc;: .. :. ...ad...um number of octets of bits. 

15. The method ^fchd. :. d.. .3) c\ h : „... 

(1) determining a length of a concatenation of an authentication protocol identifier, a user * 
15 credential and the d^dle;; 0 : a,ai 

(2) dividing the challenge into the first pari and a second part based on the determined 

length. 

16. The method addah ; d l. L:n to a;: act :ef: 

20 (E) authenticating I;., is.,:; J^-d en d*c da^.i hash vadic. 

17. The method J" elai.n ; ; whored, .he i.ie'JvwJ d.:.d,w/ ..irjpriscs an :,ci cf: 

(E) transmii.h.g, : '. -.^anuadadon hidid...:. ..... dnad hash value lo a third network 

device configured tu «mh^...' e dje a .. . 

25 

18. The method od dad, " . ..h.rea; ..... v v, LdaJcj ;ra nildng the !i;*s: c: mmunication 

within a tunnel bu.,^;, d ..... . ad d .,..d network device and Act (C) 

includes transmitld 0 d.: d d.d.. d.; : neh 

30 19. A system f w . La.. , ..da .dy ead;.ad.. a ^aa.aaaa atk r.s network, the 

system comprising: 
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a first communication device operative to transmit a first communication from a first 
network device to a second network device, wherein the first communication includes a 
challenge; and 

a second network device operative to receive the challenge and transmit a second 
5 communication from the second network device to the first network device, the second 
communication including a preliminary hash value, 

wherein the second network device includes means for generating a preliminary hash 
value by performing only part of a hash function on a first part of the challenge, wherein the first 
part is less than the cunp'.-.- chad em: . end 
10 wherein the first nee.vuri: devL: includes mca^s for completing performance of the hash 

function to produce a final hash value. 

20. The system of claim ]'d : \\e:rcio tlx second network device includes means for 
performing only part of a /.Ic.v;.:^ ingest 5-bascd encryption function. 

15 

21. The system of claio. dO, where!:! a standard M Digest 5 algorithm includes adding 
an appendage of inf omad :: \j !. \ d>n to be communicaved to produce padded information 
that has a length thai ;s a ..ee!d;de of..!.: e -four ee;;;:; ; end ii:e!ed_; io;.id.i!ng the padded 
information to a standard Message Digest 5 function, and 

20 wherein the second nclwo: !c device includes means for generating an input sequence to the 

Message Digest 5-ba^ed . e.cr. . . .~d.,;; !;-\ jwi;«..:.....;!r. 0 informal^ ;; to U eommunicated 

from the second nei\, ^rl; .!.-, d ~ "!...i ir^i oork d, vLe. end includes means for inputting the 

input sequence into the Me::.;, ee !~ ige:e 5-bascd ener; vti*.,n function without previously adding an 
appendage of inform. do,, e dx. 

25 

22. The system odcL. *. .»!^;.. die e^i/.| h pv..de ... r du hash dextion involves 

performing a first iii.odc.. ~; ! do.. . eod the second network device includes means for 

performing a second e.und.er ,..'"!.. red .. lesste. e :!.: fm.t immbcr ef id raticr.:;, and wherein the 
first network device !...h . .". , .!":■■.!..-.. ! ./eeoU : odd. ioe. . ;ual to the first 

30 number minus the se...h ... . .. .. ! !.. .. w. !. .. /;:doe:enee of the hash function. 
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23. The system of claim 19, wherein the first network device includes means for completing 
the hash function using a second part of: the challenge, wherein the first part and the second part 
form the complete challenge. 

5 24. The system of claim 1 9, wherein the first network device includes means for generating 
the preliminary hash value based, at least in part, on the first pail of the challenge and a user 
credential. 

25. The system of claim 2d, v. herein Sic second network device includes means for dividing 
10 the challenge into the first par; ar. ! a sc.:;. mi parr, ;::::! for configuring the second communication 
to include an indicate n c :: length in bits of the user credential, and the first network device 
includes means for completing the hash function based, at least in part, on the second part of the 
challenge and the length i ft!.. credential. 

1 5 26. The system of claim 25, wherein the first network device includes means for determining a 
state of the hash function based, at least in part, on the length of the user credential, and for 
completing the has:. A;,.^\,n . d, a. Ic.jt in ;-ari : e;: .he cLLrmhicd \c:\ a lh. 

27. The system J\Ld . l.\ . herein the t r.'.tw; ± device hicladej means for determining a 
20 length of the second p.rt ! :, ieasi in p ,a. a L.-gdi cf ;he challenge and the length of the 

user credential, and f .. ev.... s the h...;k h ..alien l:a;;ed, at least' in part, on the determined 
length of the second part. 

28. The system cdciaL: wherein die first network device inchides means for generating 
25 the challenge on lh. ..... . .... .:. _.:cc : hiclirdiu ::. ...:;s f. . g„;. :v:.A^ .. portion ofthe 

challenge having a L.«e/di -q^d . a de;hed a.r.^u,.; J^iilri^y fc; the challenge, and means for 

appending bits U, ;L. , : ch;d.^ io . . J.- .hah.ne^. 

29. The met!. od doh.h , .cr^h: d*. d ... . . a de> ia; I.jlIl: ! j means fjr appending 
30 sixty-three bits to d. ..c.ic::*. 
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30. The system of claim 19, wherein the challenge includes a plurality of sequences of bits, 
and the first network device includes means for generating the challenge on the first network 
device, including means for con figuring one or more of the plurality of sequences to include at 
least one non-zero bit. 

5 

3 1 . The system of claim 30, wherein each sequence is an octet of bits. 

32. The system of claim 1 9, wherein the first network device includes means for generating 

the challenge on the iiroi r.ctworl; device, including means fcr configuring the challenge to 
10 include at least a minimi:: \ le;.g:h of bits. 

33. The system of claim 19, wherein the second network device includes means for 
determining a length of a concat enation of an authentication protocol identifier, a user credential 
and the challenge, and nu\.:i:; i'hr dividing the cd-. !!cngc into the first part and a second part based 

15 on the determined length. 

34. The system of el./.... 1>, v...ercin the first net w:.,;. device i:i:!udw; iueai-j for 
authenticating the use. I d d., final hash value. 

20 35. The system o/ckd ,i ] v. herein the fir:;i network device includes means lor transmitting a 
third communication imd:.,d.. 0 d.e fin:.! hash vai.:e lo a dd. J network du. '.~e configured to 
authenticate the user. 

36. The system of ckdm 1 5, wherein the fn\X netwoik device includes means for transmitting 
25 the first communi cat i. :. ..!dd.. . ..;ncl between d:_ .^i./ork cL/L.. >;:.d die :,jcond network 

device. 

37. The system cd.dd n i, ; v. hci\dn the secc;. ! ■jon.mu;dj..:iw-.i dev^e ine!;;cies means for 
transmitting the sccor, ' > ;;ation with a i....:.. ! I:./. . . :. !!.e 'fi. !. . d:e t ...d !he second 

30 device. 
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38. A computer program used to control a computer to perform a method of at least partially 
authenticating a user on a communications network, the method comprising: 

(A) transmitting a first communication from a first network device to a second network 
device, wherein the first communication includes a challenge; 
5 (B) in response to receiving the challenge, generating a preliminary hash value by 

performing only part of a hash function on a first part of the challenge, wherein the first part is 
less than the complete challenge; and 

(C) transmitting a second communication from the second network device to the first 
network device, the sec ad communication including the preliminary hash value; and 
10 (D) completing : fo; :nana- of the hash fane'd :n oa d;e first neiworfc device to produce a 

final hash value. 



39. The computer j.. gran of claim 38, where::: act (a) C)vr t :r'.^: 
performing on'./ arte fa Manage Digest 5- aasad encr-./d -a fur. 'ion. 

15 

40. The computer ; r. gram of claim 39, wherein a sL::u:a;d Meaaagc Digest 5 algorithm 

includes adding an a;:; lag. ..reformation tc a." :aaalka: be ccmaramlci'djcd to produce 

padded information tl. '.as a. Lr v _d; Ll*ut is a n:idd;. L ■ f :y-fcar o,:.;;. and includes inputting 
the padded information to a standard Message Digest 5 function, and wherein act (B) comprises: 

20 (3) generating au input sequence to the Message Cigcst 5-based encryption function by 

concatenating i a donna '. . to de c, v....aanicated fr,:. .; die ... a ' deviue to vhc first 

network device; ,aid 

(4) inputting the .npul a^uence into the Message Digest 5-based encryption function 
'without previously addd 0 ai; ..^^d^o of inf;.: da-a ... d.. d: r a. ...a:a..a.a. 

25 

41. Theccn.^au, , 0 ;a..i w.' 38, wh ;. ~. L:, 1 v.. f . .....Cv jfihe hash 

function involve., pc. ...dig a fi :,aber of i — dua... [\V\ : a. : j: a'aaadng a second 

number of itcnd Lns L. . d;aa the d.,L number c !'i.:.r. d_.. ..ad ac: (D) includes performing a 
third number of! ::;a'd ecp..d he a/st riumbt : a*. v. T : ' .r, . j.;a!;:ag in a 

30 complete perf;.: a^ ; / the dumdon. 
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42. The computer program of claim 38, wherein act (D) includes completing the hash function 
using a second part of the challenge, wherein the first part and the second part form the complete 
challenge. 

5 43. The computer program of claim 38, wherein act (B) includes generating the preliminary 
hash value based, at least in part, on the first part of the challenge and a user credential. 

44. The computer program of claim 43, wherein act (J3) includes dividing the challenge into 

the first part and a scecn/ part, a;:;: 'he method limhu cxmpjises: 
10 (E) configuring :he exomi communication in:.!;::! ; an indication of a length in bits of 

the user credential, and 

wherein act (D) includes completing the hash function based, at least in part, on the second 
part of the challenge a;..' the lengih of the user credential. 

15 45. The computer program of claim 44, wherein act (D) includes: 

(1) determining a stall; of the hash function baoed. :.t least in p:.r; 3 on the length of the user 
credential; and 

(2) compk :.;;•)<„ J.s ha:/.: fi.n^lcn based, :;t \ In ; ,;n ;h: determined r.tfv.e. 

20 46. The computer program of claim 44, where;;* act (D; farther coinprijes: 

(1) dctermLln.;. lcn^h ^/'Jiu ^ccond pari o;\;_/ ; „t leaot in pari, on a lei.^h of the 
challenge and the leng;h of thw user credential; and 

(2) completing il.e ha.,h /.notion based, least: in past, on the determined length of the 
second part. 

25 

47. The compm.. ; .wgr...., . lnl..i 33, w!.-\-... '/.._ .. . /..../ .!.e; e :v.p;;r;.:; act of: 

(E) generating the challenge on the first network device, including generating a portion of 
the challenge havh. 0 kng'd. :^..,:c;i desired mnji;,.. :k;:v :h::!Ienge, and 

appending bits to t!.„ ; ,.:io,. ..//.~ ol.Jiengc to :;!::. . J.: .11. :r;. . 

30 

48. The compile . , .Dgra /;i:n -'17, wL- . ; l..e::::l.r amending sixty-three bits to 

the portion. 
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49. The computer program of claim 38, wherein the challenge includes a plurality of 
sequences of bits, the method further comprising an act of: 

(E) generating the challenge on the first network device, including configuring one or 
5 more of the plurality of sequences to include at least one non-zero bit. 

50. The computer program of claim 49, wherein each sequence is an octet of bits. 

51. The computer program of claim 38, wherein the method further comprises an act of: 
10 (E) generating the chr.Hcngj on the first nev.ver!: ;':v:ee ; including configuring the 

challenge to include at !:ast a vr.::\:ni:;.i number ofoc:..:: of bits. 

52. The computer i ;rogiT.;v< , f J.:\\u'i 38, wher:\n ael. (Z) comprises: 

(1) determining a length of a concatenation of an authentication protocol identifier, a user 
15 credential and the chalLnge; 

(2) dividing the challenge into the first part and a second part based on the determined 

length. 

53. The compu-/ ;:.\-gra.., .,f -LL: 38, wl.ert-in ;h, :...i!:od further comprises an act of: 
20 (E) autheniieaii.igthe 'unjed on the find h;v!: v;.hac, 

54. The compute/ ..rogn.:.. of .'aim 38, wherein i!: j i..- .hod farther oor/.priscs an act of: 
(E) transmit. . w u.!..! . j;..inunication i:./:tiehig l!... fiiial has!, value to a third network 

device configured tc* aaLhcnl'.jale ;'..euser. 

25 

55. The compu..; p.ogra.a of e'u.hn 1, where i.i ..el (/ v i. .elude.; ir^/aitting ;!,c first 

communication v. ;;..*....: .....nthefi .' * i-:e a.uMhc secend network device 

and Act (C) inclu,^., s;« . 0 .,~eond :e .! ... .viihin the ;;:nnc!. 



30 56. A method of. :.;aj! . ... y ..adicnlu 3 ; , :....-..:•:.: ■ h ' :.Kvork, the 

method compr is L 0 



WO 2004/051964 



PCT/US2003/038527 



-49- 

(A) transmitting a first communication from a first network device to a second network 
device, wherein the first communication includes a challenge; 

(B) receiving a second communication from the second network device to the first 
network device, the second communication including a preliminary hash value resulting from 

5 performance of only part of a hash function on a first part of the challenge, whe/ein the first part 
is less than the complete challenge; and 

(C) completing performance of the hash function on the first network device to produce a 
final hash value. 



10 57. The method of claim 56, wherein the preliminary. h:\:h value is a result of partial 

performance of an : ics^.gj Di^c:;: >bascd cncrypliu: fu:.. :h;n on th. firjt part of the challenge, 

and wherein act (Z . c r . ises: 

completing ..lie Mcosag- Cdgcs: 5-bas^d en zryy :h:.\ .Unction. 



15 58. The method of cLhn 56, wherein the con:;: [etc ;.c; dumauce of the hash function involves 
performing a first number of iterations, and wherein the preliminary hash value resulted from 

performance of a second number of iterations less than ihe f.rst number of iterations, and 

wherein act {C) includes j,c; forming a third L^; ..f iterations equal to the first number 
minus the second ; d^r, rCoidd,..; hi a comuLtc :d... of d... h k ..di funedun 

20 

59. Themeil.^ \..d,.i : \. hi act (Z) h,.d..d.. ..L dug ihj function using a 

second part of the -whaiicnge, wherein the first part and the second part form the complete 
challenge. 



25 60. The method J':dd... 56, ,d_rcdu the ch/dL..^ ; .: - ■• r ti : dv: d . ' part and a 

second'part, and d_ ^h.^h.^ ! a v:d..i: d. d...\ d. . . . \u 4 ....'. d.j. frs; pari of the 

challenge and a u . /. h.d ... ! d.„ jcc;:...! :c" d. . .. u .d.. i u:d ..d:ui of a length 

in bits of the use; v. .d^,.d J, and 

wherein ;d ; h.^huh.. . ddng d.. h... : : .. ..: .d ; ... : ur: d; par:, on the second 

30 part of the chalLv^ \ d.j L..^-h w f die user eredemi.d. 



61. The method cf claim 60, v. herein act hiclud. 



WO 2004/051964 



PCT/US2003/038527 



-50- 

(1) determining a state of the hash function bared, at least in part, on the length of the user 
credential; and 

(2) completing the hash function based, at least in part, on the determined state. 

5 62. The method of claim 60, wherein act (C) further comprises: 

(1) determining a length of the second part based, at least in part, on a length of the 
challenge and the length of the user credential; and 

(2) completing the hash function based, at least in part, on the determined length of the 
second part. 



63. The met;-.; e ::fc]:.::n 56 ; !*.:;th. ;* comprishij i.:' 

(D) generating the challenge on the first network device, including generating a portion of 

the challenge havi//- a le:v ; Lh ecu..: ! .; desired ai.vj; : !":::itrof.y for the challenge, and 
appending bits to i:.- ; or:i -."ofih: mileage to j: rod:. . challenge. 



65. The met!:. . .f c:..'.n 56, -.. I.e. . in the chidi . : . .!...!es a plunillty of sequences of bits, 
20 the method further ;^np; ing ;ct f: 

(D) '..ali .:. ' '. i,e 3 including e. ... ^uring one or 
more of the piund. . f.,; r .- it i. : _hJe ! -;;eu, hi:. 

66. The method . .\hd.i .id. _.eh . ( „ V . ...c;... ; f : i ... 

25 

67. The method of claim 56, further comprising an act of: 



10 



15 



64. The method c Cc^i:.: £3, \. herein act (D; i.xh ,kr 
challenge. 



ending s::dy-:hrce bits to the 




dr.. lengt!" 



h o; 




g the 



30 



68. 



Thei.^d, 



(D) authentic. ..ing die ur.-/ h: s .s:d on the [" nal hash value. 
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69. The method of claim 56, wherein the method further comprises an act of: 
(D) transmitting a third communication including the final hash value to a third network 

device configured to authenticate the user. 

70. A tunnel server residing on a first network device of a communications network for at 
least partially authenticating a user on the communications network, the tunnel server comprising: 

a challenge generator to generate a challenge that is transmitted from the first network 
device to a second network device, wherein the tunnel server is operative to receive a preliminary 
hash value from tru ceccaa ncl'.vc.ki\ rice, the : re!::;.:.»::ry hash value resulting from 
performance of:-.// part. ;,faha;::. fi::..;;c:! c n a fir:;! ■ f-he challenge, wherein the first part 
is less than the c. \ . lete \ 

means for completing performance of the hash function on the first network device to 
produce a fii.al ha: h vali:e. 

15 71. The system .,f claha. 70. v. herein the complete ;:^.rfurmance of the hash function involves 
performing a first manb-.r cf iU:\..;.ioj..... an.! l_ ; ;cli. .ii: : ...y hash va!ac the result of 

performance „Ta cond ,.Ur f i ;!ca., '....J :!.:... fh at nia-aU; of i: .era Jons, and wherein 

the tunnel sc. . u h..;j(L. s ....;«...- . jr ; ... .h'^.! :r c. a.. or..; - ,-ial :o the first 

number min .s a., jo;,.' . ; .'.ling in a complete performance of the hash function. 

20 

72. The :: .Tel..!... 7^, ■.. nc: Ja the :ci sci , cr include:: mear..; convicting the hash 

function using a second pan: of iho challenge, wherein ihc first part and the second part form the 
complete ch*.!L.. 0 w. 



5 



10 



25 73. The.,.. re'...'.."... . he; . 1 . :hc ..^ h. ..h..s t!ia f. .>ar: a.:.! a second part, 

andtheseco a: .la : h. Y : r.jl ... [ Y. of ■. ..:r i . cdential, and 

whe:.h. . . .a; ' n. !cr . ,; ,; luting :he hash lane, ion based, at least 

in part, on the seed pa.i . ":Y:. ^hailc.^e an.: :..c lea-;:, at* the user credential. 

30 74. The .,y:;:ca. ..fch.;... 7^, ..!...,:..:!.. * J sua ..' h^had.c a.r .;;tcr;aining a state 

of the hash f 1. .. L>aa- .'. at !.... . ir. , ai. s c lcn c: Y . .ho us..r cRA.Va'iai, and for completing 

the hash funclcn b^cad. Ic..^.. hi p.... :. oa t;._ „..j; : ..h.. ' h.agth. 
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75. The system of claim 73, wherein the tunnel server includes means for determining a length 
of the second part based, at leant in part, on a length of the challenge and the length of the user 
credential, and for completing the hash function based, at least in part, on the determined length of 

5 the second part. 

76. The system of claim 70, wherein the challenge generator includes means for generating 
the challenge on the tunnel server, including means for generating a portion of the challenge 
having a length equal to a desired amount of entropy for the challenge, and means for appending 

10 bits to the pc: tic a cfthe ehahenge lopraJae. (he cha!!e:: 0 e. 

77. The r.cthod i.Cc!..!.-.. ?C S v.'hcrJ.i the cha;!an;\i ^j;:::\.tor include:; s.icr.r.s for appending 
sixty-three ths to the portion. 

15 78. Thes, 3iem cjfc]..:'.:.i ....erch; ;he ..h.Yi/er.je I;;-.;™.; a plurality <:i':;.qucnces ofbits, 
and the challenge genera u,r h.~h. Jea n.-...a; ^.aera::...; ;.h_ challenge, including means for 
configuring taie cv :aore of ,h~ ;.ha;alily af SL^.-.ees Lj iaelu.ie at 1 ?-ast ,.aa r.;.::-zcro bit. 

79. The system uf elai.v* 7C, \.heR.;i each seaaence la a: - octet of bit. - . 

20 

80. The system v.f;.;..ha 70, wherein the challenge generator includes n.et*...; for generating 
the challenge, including means for configuring the challenge to include at least a minimum length 
ofbits. 

25 81. The :\h.l.a 7.. ; .he la. ladee iv.ca. ethcri'icating the 

user based o;. iha haal i h . *.h.~. 



30 



82. 1 he system el v., v . .er^.a live re 

communicaa >n ir*^..^!..^ .'"a „.l ha:!; \alu: 
the user. 
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83. The system of claii i 70, wherein the tunnel server includes means for transmitting the first 
communication within a tunnel between the first network device and the second network device. 



84. A computer program used to control a computer to perform a method of at least partially 
5 authenticating a user on a communications network, the method comprising acts of: 

(A) transmitting a first communication from a first network device to a second network 
device, wherein the first communication includes a challenge; 

(B) receiving a sec< nd communication from the second network device to the first 
network device, the scconc co:nnr.mir?.ticn in^aainr;. :: ; rcliininary hash value generated by 

10 performing only part of a 1 ash fur.eticr on a first |:;rt r."f!.e challenge, wherein the first part is 
less than the complete challenge; and 

(C) completing penbnr. ;e of '.he ha;;!: f:::- n or the first network device to produce a 
final hash value. 



15 85. The computer prog am cfelair.. S'l, wa^jai *.'.: 

partial performance of an I leesa^e DLeni 5-i;aseJ ei. ^pi- 
challenge, and wi;uxin act ^C) ew... r . !.\.e: 

compLtin^ die Me: :,a^ E ; & u . >L»us^; en .. 



minary hash value is a result of 

function on the first part of the 



; act;o; 



20 86. The ccrr.^eie:* prog e;. !ai:.: " 1, \ ... 

function invert es perform] ig fi^t number of ::.err.(\. 

resulted from performance of a second numb.;* • file,, 

iterations, an -J 

where!. i aa (") inc , ^il. 0 i. 
25 minus the sec ;...;d .a.i nber, ^ ' :. . en. .:.,e p. 



\ ipletc ::er:\.:y.a.-ee of the hash 

. u..d wherein d.j. j.re'.lmiuary hash value 

;ne less than the first number of 

l. jf itc;\.;.!e:r; eqea.! ^ the first number 
. .ee of die La:;h function 



87. The computer prog -nr. of claim 84, wherein act (C) includes completing the hash function 
using aseco;.d. .it >fthc "... . w .: 3 . .J.. t ... :nJ tl. /-^ .J, ;\rm the complete 
challenge. 

30 

88. Thec. mpaLt prog a;:, J ; :L.... ;j i : ' .iengc includes two parts: the first part 

and a second ..a: !, a- 'J ihe . !! m ... iea:;;. :.; i . :t, \ d.e firs: part of the 
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challenge and a user areder.tial, and the second communication includes an indication of a length 
in bits of the user crc Jential, and 

wherein act ( D) includes completing the hash function based, at least in part, on the second 
part of the challenge and the length of the user credential. 

5 

89. The compute prog] am of claim 88, wherein act (D) includes: 

(1) determini lg a state of the hash function based, at least in part, on the length of the user 
credential; and 

(2) complcth _> the !...;/>. fancier, base;!. Seas' \\\ ; art, on the determined state. 

10 

90. Thec-.npatc prog: am ore!;:!:.: S3. \. he. :v\ :\'\ (C, further ccin/ri:.^ : 

(1) dct^nnini lg a length . rtha :;,cca ' ; ...t ca. at least in part, on a length of the 
challenge and the lei gth of the user credential; and 

(2) ccmpleiii g the lash far:..,,. a bas-J. ... ".:aa.. i.. /a.t, on the determined length of the 
15 second part. 

91. Thecoi-Vwie prog ,a\: c/cLha 1 i, \. ...... ::a ;! ^ ... .hod i/a.aa.r ,.,;];;. an act of 

(D) gcneralii % the r.halienge on the first network device, including generating a portion of 
the challenge L. . hn a lent ,h ec j .a! J-:.h . .: :. a . ./ire;:; :"; th: /...Jange, and 
20 appending bh.. ^ .a portic n cf. a w . r. .'. . tl. a ohalLn^i. 

92. lTiec..... 1 ..u. prog ».m e/~ !, .. "... . ;. v . t './icIu;La a;:; .:nain;„ sixty-three bits to 

the challenge. 

25 93. Thee , - prog V. ■ :.. . ..:an 0 ; a:/ .; : _ ..a!::yof 

sequences of W a, :h metha..' ... her . ,...:=;: *...: ..^ ..a. a . c. 

(D)£. j,the- h..:: . 0 _ . .. a, ^ alngoneor 

more of the iby of sc; a;,.~. . 1. h. ' ■ . :. ;:ci.. 1:1'. 

30 94. Thee.... ,...u -prog w. .a..... .aej ... !; ;t :"a;!.-. 



95. The compute- prog am of claim 84, wherein the method further comprises an act of: 
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(D) generating the challenge on the first network device, including configuring the 
challenge to include ; t least a minimum length of bits. 

96. The compute] program of claim 84, wherein the method further comprises an act of: 
5 (D) authentic; ting the user based on the final hash value. 

97. The compute] program of claim 84, wherein the method further comprises an act of: 
(D) transmits ig a third communication including the final hash value to a third network 

device confix are J to iuther.tiea;c ;;:oi:^r. 

10 

98. A method of; t least partially authenticating a user on a communications network in 

response to a eh alien ; e rea iveJ at a ;;econd ;.hv. ;::k. JjyLj from first r.eiv/c;!: .device, the 
method comprising a -ts of: 

(A) generatin ; a preliminary hash value by performing only part of a hash function on a 

15 first part of the chain ige wherein the ;hoLp;::: h h::; ::ia:. the complete chehen^e; and 

(B) tr-nsmhti ;g a comma;: ieah en i/c : /i C: e: ...v. J. network device to the firii network 
device, the c «...num ation in^hh..; ^reihih.ary hash value. 

99. The n.eli.od c fclaii \ 9C, \h.e: :h aet (h, cor,;;- rise/: 

20 perfc.,.:;.-.j, j ly paj : I.i 0 e. -^■ CJ -.. • * ' •• ■ .-ry; :hr. rar..ih.r.. 

100. The i,, JhjJ ( fclair i .?'\ .-.htui.i a e*h: :h.c.: ".he. ^e Digest 5 ah.jri:i.m includes adding 

an appenda^: ...h.h. matic; :. i .1 : \. .:.'.ed : ■ ; re.:... t .. : led information 

that has a le,.^h*. h . '.; a me;.; r h hh .'. : ... hJu.h.: j .i.e. J ..:h!ed 

25 information . .. o \.,JA:- B . ;t" .... ::c. v.!.. rein act (A) comprises: 

(3) generating an input sequence to 'he Message Digest 5-bascd encryption function by 

concatenating in.h, .-. ition 4 . l,e h\... 1 he . .ond network device lo the first 

network de, "... ! 

(4) L../Juing he inj uf sequent into the I icjsegc Digest 5-based encryption function 
30 without prc'hw-Jy e ding a. . . . ^ ...h .. 



r 
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101 . The method c f claim 98, wherein the complete performance of the hash function involves 
performing a first nu iber cf iterations, and act (A) includes performing a second number of 
iterations less than th t first number of iterations. 

5 102. The method c f claim 93, wherein net (A) includes generating the preliminary hash value 
based, at least in pari on the first part of the challenge and a user credential. 

103. The method c f claim 102, wherein act (A) includes dividing the challenge into the first 

part and a sccc:::! pas , and :hc iru /.- J further v : : \r L :i : :--:s: 
10 (E) co:i-j£i:ri; g the JOn;;:v.:-:k\-urn tc : ::::! ! k:: an :: ligation of a length in bits of the user 

credential. 

104. The i. ..:.;.,!< f claim : : : ■. :.crc>, -z(') . — : 

(1) dctermi..; galci^.:. -!\] e; j:..:' r, : :thcntic;.: ion protocol identifier, a user 
15 credential and the ch llenge; and 

(2) diviJiii^ I e cha len^c firs: r .". :.::.! :\ jocond part based en the determined 

length. 

105. The mc:!;.:cl i f claii • r Ju s wherein :\z\ ■'/.) includes transmitting the first communication 
20 within a tunnel bctw cn the first network device and the second network device and Act (C) 

includes trai. l^a ;:. . : .['. ' 

106. A client re:'; on ■:! re. ond network device of a communications network, for at least 
partially aut:. ...J. j;au: :ri:. r : :o j > .. zJ. /l-J e:; i/.c oJClv*-.! r.e'.vork device 

25 from a first] lcvicc 5 . .\ ... , ,.i..pri. ' 

mean- .., r craiirg ;> t .. y !.... Ly . .\ :*jrr.:!.;^ only \':\i m x \ fa hash function 

on a first pa; < h^iei V k.: ■ ;han the eo:r.p!e:e challenge, 

when. In < xond r,.. .\ Jc\ ....ismi; a chimin;/ ::fion from the 

second netv. .. ' , ,o i .\- - \ .' municarion in^i::!".; 0 ihe preliminary 

30 hash value. 
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107. The client of ;laim 106, wherein the means for generating includes means for performing 
only part of a Messa: e Digest 5-based encryption function. 



10 



108. The client of ^laim 1.07, wherein a standard Message Digest 5 algorithm includes adding 
an appendage of info maticn to information to be communicated to preface pad Jed information 
that has a length that is a multiple of sixty-four octets, and includes inputting the padded 
information to a stan lard Message Digest 5 function, and 

wherein the n eans for generating includes means for generating an input sequence to the 
Message Dig e;.: 5-bc. cJ enj;ypt!v,n function by L'on:ate:.:..b:g information to be communicated 
from the sec^'.^i ne:\ or!; d< ice :be \ ,.v\: Je> '.l 3 and means for inputting the input 

sequence into the Mi ssage Digest 5-based encryption function without previously adding an 
appendage of L:fo: ::s iLn i:> *:*.e :;cqL:, •. 



109. Thei::..;iof .lnim ^..rei;: the j;. s .. 
15 performing a at :iu iLn fi.„. .:o..:\ :.:id 
wherein the r. cms :c;r ^i.^luLj 
iterations 1c:- :!.an j f.rjt m ..nb ■ e: 



ii.iance of the hr-sh u 1 . action involves 



:»2rfon:ii;;2 se/or.d number of 



110. 

20 the prelimin:... 
credential. 



.ciein the :j for 0 *: mating include;; means for generating 
. : . ...b on the .". part of the ler.gc and a user 



25 



111. The., >f . 

challenge in:-, -h*. fi: . r art ,: 
include an ;.. V. ... Li 



erating includes means for dividing the 

; :v:.r..v...l.:? :!<-• - .nmunication to 



112. The... i ;.. 

a length of: b.r. ... ' .. ....... 

challenge, a.;d mean lor d.vbiij.^ the cha!!..;go into 
30 determined L:. .*h. 



.li.Aw^ ;n:;::.s for determining 

...:;r.jr ; ..ede..'Jr.! and the 
.it part and a . e:.-.>nd ^art based on the 



113. The : : ;.n 
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means for controlling transmission of the first coin nunication within a t unnel between the 
first network device and the second network device. 

1 14. A computer program used to control the computer :o perform a method of at least partially 
5 authenticating a user on a communications network in response to a challenge received at a 

second network device from a first network device, the method comprising acts of: 

(A) generating a preliminary hash value by performing only pari of a hash function on a 
first part of the challenge wherein the first part is less than the complete challenge; and 

(B) transmitting a comiiiiinliaC-i; fix;.: ;!;:; sec: :. ' ..el.vc;!: ;!cviee to [\\z first network 
10 device, the second communicant incv.:;i!;ig tl-.e preliminary hash value. 

115. The computer program of c!a!.r. .! H, \. he:-:!.: :.::\ .'.*.) conij- rises: 
performing only part of a ge DLj..!. 5-!.:;:.. .' .ncrypticn .„:" :i. 

15 116. The computer program of c!ai..i 1.5, .>!.o; in ;: .> .!::rd Mess^go Digosi 5 algorithm 

includes adding an appendage c r : . . :br:u:::i .. : • ;o ir.iUT.;...! to be cc:m:ni.;i;^:.i!. : to produce 

padded information that has i. !-.. w .!\ ;!...; is !.! s / ::.y .1...: . \ :.:-;.! !.:c-!i:Jes inputting 

the padded information to a ;;l ! !l. !g... A 5 .V ^tio;;, a;u! wherein act (A) comprises: 

(3) generating an input sequence to the Message Digest 5-based encryption function by 
20 concatenating information to I c :..:::.!-..:...! 7. .... jo:..! ..J.-..*: :!: device to the first 

network device; and 

(4) inputting the input sequc/.:e into -i'.e Message digest 5-ba:;~'! ./:v:ryp(ion function 
without previously adding an ap ... . ! ^ "!•. .! 3 i:*, r .: pj.. 

25 117. The computer progn ; ;.. !. !.'.,..!. '.:!. ..,.! :":!.ehash 

function involves performing : :!..r . !. ; ..J ^.\* :..j1:k!cs ; erforming a 

second number of iterations less :!.a:: :i:e 5r^( r.i.:.::.::- :;i ratio:;::. 

118. The computer program sJ.V. .!..-. 11 v/ioa.!.; \ .) inelu.Ls j ..: - ..:;.j the preliminary 
30 hash value based, at least in par. s i... .... ; f... • /."eng. ...:. ! t. .:;tial. 
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119. The computer program of claim 1 IS, wherein act (A) includes dividing the challenge into 
the first part and a second part, and the method further comprises: 

(E) configuring the communication to include an indication of a length in bits of the user 
credential. 

5 

120. The computer program of claim 1 14, wherein act (A) comprises: 

(1) determining a length of a concatenation of an authentication protocol identifier, a user 
credential and the challenge; and 

(2) dividing the challcnxj :::lo th- firs: ;:::d ;: xond pr.rt b;::cc! er. \>.z determined 

10 length. 

121 . The computer program of claim 1 14, wherein act (A) includes transmitting the first 
communication within a tunnel between the first network device and the second network device 
and Act (C) includes transmitting ;!ie con:;..u:.iw.. , .;t.a \ -Mn the ti:n;- s c!. 
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